Typo3 Install Tool publicly accessible
Description
The TYPO3 CMS Install Tool is publicly accessible without proper access restrictions. The Install Tool is a powerful administrative interface that provides deep system-level access to the TYPO3 installation, including database configuration, system settings, and file management. When exposed publicly, this interface becomes vulnerable to unauthorized access attempts, particularly brute force attacks against the Install Tool password.
Remediation
Immediately restrict access to the TYPO3 Install Tool using one or more of the following methods:
1. Disable the Install Tool when not in use: Delete or rename the file ENABLE_INSTALL_TOOL located in typo3conf/ directory. This file is automatically created when accessing the Install Tool and should be removed after administrative tasks are complete.
2. Implement IP-based access restrictions: Configure your web server to restrict access to /typo3/install.php to trusted IP addresses only. For Apache, add the following to your .htaccess or virtual host configuration:
<Files "install.php"> Require ip 192.168.1.100 Require ip 10.0.0.0/8 </Files>For Nginx, add to your server configuration:
location ~* /typo3/install\.php$ {
allow 192.168.1.100;
allow 10.0.0.0/8;
deny all;
}3. Use strong Install Tool passwords: Ensure the Install Tool password is complex and unique, configured in the TYPO3 backend under Admin Tools > Settings > Manage Installation-Wide Options.
4. Monitor access logs: Regularly review web server logs for unauthorized access attempts to the Install Tool endpoint.