zum Inhalt springen
back to overview print

Predictable backup location in "Backup Plus" extension for TYPO3 allows attackers to access backup files

Open Source

NTCF:
NTCF-2025-9186

CVE:
CVE-2025-48201

Product:
ns_backup

Vendor:
T3Planet

Criticality:
medium

Status:
fixed

Discovered:
2025-02-06

Detail:
Public

Vulnerable version:
<= 13.0.0

Fixed version:
13.0.1

Summary

"Backup Plus" is an extension for the TYPO3 enterprise Content Management System (CMS). It has been discovered that the versions below 13.0.1 store backups in a publicly accessible location by default and use a predictable name for the backups.

Background

TYPO3 is a widely used open source enterprise CMS known for its extensibility and customizability. It allows organizations to build and manage complex websites while offering a range of extensions that enhance its functionality. Various authorities at the national, cantonal and municipality level use TYPO3 - often in contexts where confidentiality, availability and integrity are essential. 

In a pilot project with the NCSC, the NTC evaluated the security of TYPO3 and its extensions to ensure the security of open source software used within the Swiss administration. Read more about the project here.

Vulnerability

The default backup file names follow the following naming schema, depending on the backup type:

  • Core: http://[Site-URL]/uploads/tx_nsbackup/typo3/typo3-YYYYMMDD-HHMM.tar.bz2
  • MySQL Database: http://[Site-URL]/uploads/tx_nsbackup/mysqldump/mysqldump-YYYYMMDD-HHMM.sql
  • Vendors: http://[Site-URL]/uploads/tx_nsbackup/vendor/vendor-YYYYMMDD-HHMM.tar.bz2

The uploads directory is publicly accessible and the only variable part in the backup file names is the timestamps.

As a consequence, the file names can be brute forced. If one uses 100 requests per minute it would take around 11.15 hours on average to scan the last month for backups.
Calculation: 3 (backup types) * 31 (days) * 24 (hours) * 60 (minutes) / 100 (requests per minute) / 2 (assuming even distribution) = ~669 Minutes or ~11.15 hours. 

Remediation

This vulnerability was reported to the TYPO3 security team and fixed by the extension maintainers in 67b8102a19e8e516dc4228f5c42f9e4fba5046cb by storing the backup files in a directory that is not publicly accessible.

Modal dialog that backups are now stored in a non-public location
The way the file name is generated was also adjusted to include an MD5 hash of the backup type. This has no impact on the predictability of backup file names however, as MD5 produces a deterministic hash value for a known input.

Patches

This issue has been fixed in version 13.0.1. It is recommended that all users of nitsan/ns-backup update to the latest version.
System operators are also encouraged to move all existing backup files in the uploads directory to a publicly inaccessible location.

Timeline

2025-02-06: initial discovery

2025-02-21: private disclosure to vendor

2025-09-02: fix by vendor

2025-10-13: public disclosure