In case an attacker manages to generate a valid cryptographic message authentication
code (HMAC-SHA1) - either by using a different existing vulnerability or in case the
internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a
TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php
which again contains the encryptionKey as well as credentials of the database management
system being used.
In case a database server is directly accessible either via internet or in a shared hosting
network, this allows to completely retrieve, manipulate or delete database contents.
This includes creating an administration user account - which can be used to trigger remote
code execution by injecting custom extensions.
It has been discovered that an internal verification mechanism can be used to generate
arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic
message authentication code (HMAC-SHA1) and can lead to various attack chains as described
below.