Fix TYPO3 Security Bulletin TYPO3-20061220-1 - Issue with RTE HTML Area Extension

TYPO4 4.0.3 and Before, any install using HTML Area Extension

You must upgrade to the following versions of the rtehtmlarea extension depending on the TYPO3 version you are using. Other versions contain the security issue.

rtehtmlarea version 1.3.8 is for TYPO3 version 4.0.x
rtehtmlarea version 1.4.3 is for TYPO3 version 4.0.x if you were running 1.4.2
rtehtmlarea version 1.2.1 is for TYPO3 version 3.8.x
rtehtmlarea version 1.1.4 is for TYPO3 version 3.7.x

x = any number

Making this update requires completely removing/overwriting all installations of the rtehtmlarea extension. This extension is a system extension delivered with the TYPO3 version 4.0.x core software. If you have installed a local extension that overrides the system extension then both must be modified. Here are the steps: Note: this example is for TYPO3 version 4. Some of the titles and options may vary somewhat for previous versions of TYPO3.

Enable your installation to overwrite system extensions, which are normally read only

1. Login to the TYPO3 Backend at http://www.YourWebsiteName.com.
2. Click on the Install link at the lower left.
3. Login to the TYPO3 Install Tool.
4. Click "5: All Configuration" to check and possible change the "allowSystemInstall" setting.
5. Scroll nearly half way down to "[allowSystemInstall]" and set the value to 1.
6. Scroll to the bottom of the page and click on the "Write to localconf.php" button. This will allow you to overwrite the system extension with the security issue.
7. Now you can overwrite the rtehtmlarea extension with the security issue that is installed as a system extension.

 Find rtemtmlarea extension and check settings

1. Click the "Ext Manager link at the lower left to begin the process of removing the old rtehtmlarea extension(s) and adding back the new rtehemlarea version as listed above.
2. Select "Install extensions" at the top center.
3. Under the heading "Backend, " find "htmlArea RTE" in the list of extensions. Notice the version number and the type for this extension. Use the list at the beginning of this How-To to identify and remember the new rtehemlarea version number that you will need to install.
4. If the type value is "Local SL" then you have both a system version of the extension (which probably came from the initial TYPO3 install) and you have the extension installed locally. Both these need to be removed/overwritten.

If the type value is "Local SL" (otherwise, skip this section)

1. Click on the words "htmlArea RTE" to check the settings.
2. Select "Information" at the upper right.
3. Scan the field values for any that are not set to the default value immediately below. If any are different then note the differences on paper or cut and paste their values to a text editor. These will need to be restored later.
4. Click on the icon with the green ball with the minus sign that is located to the left of the words "htmlArea RTE" to  uninstall the current default extension. The icon ball will turn gray to show it is uninstalled.
5. Click on the words "htmlArea RTE" to modify this extension.
6. Select "Backup/Delete" at the upper right.
7. Click "DELETE EXTENSION FROM SERVER" to completely remove the files from your server. Click "OK" to okay the deletion.
8. Click "Go back" at the upper right.
9. Notice the "htmlArea RTE" is still listed but probably with a different number. This is the system extension that is now showing because the local extension installation was completely removed. Local extension installs override system extension installs.

Overwrite the extension with the new version

1. Click on the words "htmlArea RTE" to modify this extension
2. Select Import extensions to get a new version of the extension from the TYPO3 Extension Repository (TER). 
3. Click the "Retrieve/Update" button to get the latest list of extensions downloaded to your server.
4. Under "List or look up all extensions" enter "rtehtmlarea" and click the "Look up" button.
5. You should see a list of extensions. (If not, choose "Settings" at the top middle dropdown menu. Ensure that "Enable extensions without review (basic security check):" is checked. Click "Update." Then repeat the previous steps.)
6. Click on "htmlArea RTE."
7. Under "SELECT COMMAND" use the drop down menu to select the version of the rtehemlarea extension that you need to install.
8. Next to "Import/Update" button, select "System: typo3/sysext/rtehtmlarea/ (OVERWRITE)" then click the "Import/Update" button to overwrite the system extension with the new version that you need.
9. At the bottom of the page, click on "Install Extension" to install it.
10. On the configuration page, u" button at the bottom.
11. Click "Go back" at the upper right.
12. You should now see "htmlArea RTE" in the list with the version number that you need and a type of system because you overwrote the previous extension installed as a system extension.

Change your installation to disable overwriting of system extensions, which should be read only

1. Login to the TYPO3 Backend at http://www.YourWebsiteName.com.
2. Click on the Install link at the lower left.
3. Login to the TYPO3 Install Tool.
4. Click "5: All Configuration" to check and possible change the allowSystemInstall setting.
5. Scroll nearly half way down to "[allowSystemInstall]" and set the value to 0.
6. Scroll to the bottom of the page and click on the "Write to localconf.php" button. This will protect the system extensions.