CVE-2009-0815 in TYPO3
Summary
by MITRE
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/09/2025
The vulnerability described in CVE-2009-0815 represents a critical information disclosure flaw within the TYPO3 content management system that affects multiple versions from 3.3.x through 4.2.x and specific pre-release versions. This vulnerability specifically targets the jumpUrl mechanism implemented in the class.tslib_fe.php file, which is responsible for handling URL redirections within the TYPO3 framework. The flaw manifests when the system processes error conditions related to URL redirection, inadvertently exposing sensitive cryptographic hashes in error messages that should remain confidential.
The technical implementation of this vulnerability stems from improper error handling within the TYPO3 core codebase where the juHash value, a cryptographic hash used for validating jump URLs, is included in error messages when validation fails. This hash secret serves as a security mechanism to prevent unauthorized URL redirection attacks, but its exposure in error messages creates a pathway for attackers to exploit the system. The juHash is typically generated using a secret key combined with URL parameters, making it essential for maintaining the integrity of the redirection mechanism. When this value leaks through error output, it becomes available to remote attackers who can then craft malicious requests using the exposed hash values.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables remote attackers to perform arbitrary file reads through carefully constructed requests that leverage the leaked hash values. This capability represents a significant escalation from a passive information disclosure to an active exploitation vector, allowing attackers to potentially access sensitive system files, configuration data, or other resources that should remain protected. The vulnerability affects a substantial portion of TYPO3 installations during the affected version ranges, creating widespread exposure across numerous web applications that rely on this content management platform.
The security implications of this flaw align with CWE-200, which categorizes information exposure vulnerabilities, and can be mapped to ATT&CK technique T1213.002 for credential access through credential dumping. Attackers can leverage this vulnerability to bypass normal access controls and gain unauthorized access to system resources, potentially leading to complete system compromise. The exposure of the juHash essentially provides attackers with a key to manipulate the jumpUrl mechanism, enabling them to redirect users to malicious sites or access internal system files through the framework's URL handling capabilities.
Mitigation strategies for this vulnerability involve updating affected TYPO3 installations to patched versions, specifically versions 4.0.12, 4.1.10, 4.2.6, and later releases that contain the necessary fixes. Organizations should also implement proper error handling configurations that prevent hash values from appearing in error messages, and consider implementing additional logging and monitoring to detect suspicious URL redirection attempts. Security teams should conduct thorough vulnerability assessments of their TYPO3 installations to ensure all affected versions have been properly updated and that no residual exposure exists through other code paths or custom extensions that might interact with the vulnerable jumpUrl mechanism.