Contao news

A major security hole in the TYPOlight install tool has been detected which allows anyone to bypass the password authentication and read the database login credentials and - if the Safe Mode Hack is used - the FTP login credentials. To fix the issue, upgrade to the latest version (2.7.6) or apply one of the patches below!

Which versions are affected

Unfortunately, the issue affects all TYPOlight versions. Only if you have taken additional steps to protect the TYPOlight back end with .htaccess authentication, your installation is safe.

How to fix the vulnerability

If you are using the Live Update Service, upgrade to the latest version (2.7.6). Otherwise download one of the patches below and replace the typolight/install.php and typolight/ftp.php (available from version 2.6).

Patch for version 2.7
Patch for version 2.6
Patch for version 2.5
Patch for version 2.4

To additionally harden your installation or if for some reason you cannot upgrade, protect the back end (the typolight folder) via .htaccess. Use FilesMatch to protect only the install tool:

<FilesMatch "(ftp|install)\.php$">
  AuthName "TYPOlight back end"
  AuthType Basic
  AuthUserFile .htpasswd
  require valid-user
</FilesMatch>

Change your login credentials!

If you did not use .htaccess protection before today, make sure to change your database password and - if you are using the Safe Mode Hack - FTP password!

Check the back end accounts

Since the exploit also allows hackers to create administrator accounts, make sure to check the list of back end users for new or unknown accounts.

If you have any questions, you are welcome to ask in the forum. I apologize for the trouble caused.