RSS 2.0
RSS 0.91
ATOM 0.3
October 8, 2012

Security information for users

Category: Server Admin Team

By: Steffen Gebert & Michael Stucki on behalf of the TYPO3 Server Team

The following article contains an important information about security precautions that were taken after a bug was discovered on The same text was already sent by mail to all users who are affected by the issue.

Dear user,

the following mail is sent to you as a pure security precaution.
Still we would like you to read it very carefully.

We have noticed a problem in the server infrastructure
which resulted in passwords being stored in the log files in
clear-text form.
Immediately after the problem was noticed and fixed, additional
steps were taken to reset the passwords of all affected users
and to delete all log files.

Who is affected?
Only users who have tried to log into the Gerrit Review system
on at least once.
Your username was found in the log files, therefore you are
receiving this mail.

Who could access the log files containing these passwords?
Only administrators have been able to access these
log files. There is no indication that any other people have
been involved or that any passwords were stolen!

What do you need to do?
Please go to and reset your password. You can use
the "Forgot password" functionality (below the login drop-down)
to request a new password.

Background information: stores all passwords as hashes, thus in a secure
manner. All passwords are transferred with SSL encryption and
only between the and the Gerrit review server.
However, every time when a user tried to log into the Gerrit
Review system on, the username and
the clear-text password have been written into the log file on where any administrator (see below) could have access
the data.
Please note: Nobody except members of the server team
plus administrators of the web site were able to
access to this log file - so your password was *not* stolen by
any hacker (to the best of our knowledge - we have no indication
for any unauthorized access).
In summary, 15 people had access to these log files. As we have
allowed these people to access the server, we consider
all of these people as trusted.

As a security measure, and because we found a login attempt
with your user account, we decided to inform you about this
finding and to reset your password.

We hope you understand that we care about the safety of your

If you have any questions, please contact us through

Your TYPO3 Server Admin Team


comment #1
Gravatar: Jonas Felix Jonas Felix October 9, 2012 12:37
So it's not a TYPO3 Security issue but some very specific issue with the setup. I think that's an important note.

comment #2
Gravatar: October 12, 2012 11:03

comment #3
Gravatar: Knoellweb Knoellweb October 17, 2012 16:07
But that was only a problem by your side itself and not with the Typo3 System in general?

Thanks so far.

comment #4
Gravatar: Steffen Gebert Steffen Gebert October 25, 2012 08:03
Hi Knoellweb,

sorry for the late answer. Yes, of course, this was only a problem with the official project infrastructure, no problem in the TYPO3 CMS itself.


comment #5
Gravatar: Troy Howell Troy Howell November 7, 2012 11:50
I Say about TYPO3 is used by to create and manage websites of different kinds and dimension differs, from little websites for people or non-profit organizations to multilingual business solutions for organizations.

Sorry, comments are closed for this post.