Security Audit: Technische Hochschule Nürnberg

External black-box security audit of th-nuernberg.de (TYPO3 CMS)

CybersecSecurityPenetration TestingTYPO3Nürnberg

Security Scan: th-nuernberg.de

Scan date: 2026-06-25 · Target: https://www.th-nuernberg.de/ · Method: External black-box scan

Checklist

| Check | Status | |-------|--------| | X-Content-Type-Options: nosniff | Present | | Strict-Transport-Security | Present (max-age=31536000; includeSubDomains; preload) | | Content-Security-Policy | Present (weakened by unsafe-inline) | | X-XSS-Protection | Present (1; mode=block) | | Server header hidden | Present | | Referrer-Policy | Missing | | Permissions-Policy | Missing | | /typo3/install.php | Accessible (200) | | /.well-known/security.txt | 403 (exists but no content) | | robots.txt | Not configured (404) | | SameSite on cookies | Missing |

Issues Found

1. TYPO3 Install Tool Exposed

Risk: HIGH

The TYPO3 Install Tool is accessible at /typo3/install.php. While password-protected, this endpoint exposes configuration and system maintenance capabilities. Related CVEs include CVE-2024-25119 (encryption key disclosure, CVSS 4.9) and CVE-2024-55892 (open redirect/SSRF, CVSS 8.5).

2. jQuery v1.11.0 (End of Life)

Risk: HIGH

jQuery 1.11.0 was released in 2014 and is end-of-life since 2016. It is vulnerable to CVE-2024-24846 (XSS via htmlPrefilter, CVSS 6.1) and prototype pollution.

3. DMARC Policy Set to p=none

Risk: HIGH

DMARC p=none means no enforcement. Anyone can spoof emails from th-nuernberg.de.

4. CSP Contains unsafe-inline

Risk: MEDIUM

The CSP allows unsafe-inline for scripts, which weakens XSS protection. While nonces are present on some inline scripts, unsafe-inline still permits arbitrary inline script execution.

5. Missing Referrer-Policy Header

Risk: MEDIUM

Referrer information from protected pages may leak to external sites.

6. Missing Permissions-Policy Header

Risk: MEDIUM

Browser features (camera, microphone, geolocation) are unrestricted.

7. /.well-known/security.txt Returns 403

Risk: LOW

The path exists but returns 403 instead of serving content or returning 404. Inconsistent security posture.

Security Headers

| Header | Status | |--------|--------| | Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | | X-Content-Type-Options | nosniff | | X-XSS-Protection | 1; mode=block | | Referrer-Policy | Missing | | Permissions-Policy | Missing | | Content-Security-Policy | Present (weakened by unsafe-inline) | | Access-Control-Allow-Origin | Not set (good) |

CVE Reference Table

| CVE | Component | CVSS | Description | |-----|-----------|------|-------------| | CVE-2024-24846 | jQuery ≤3.7.1 | 6.1 | XSS via htmlPrefilter bypass | | CVE-2024-25119 | TYPO3 Install Tool | 4.9 | Encryption key disclosure | | CVE-2024-55892 | TYPO3 CMS | 8.5 | Open redirect / SSRF via URI parser | | CVE-2026-6553 | TYPO3 14.2.0 | 7.5 | Cleartext password in be_users |

Recommendations

  1. Block /typo3/install.php — IP restriction or password protection at web server level
  2. Update jQuery — Upgrade from 1.11.0 to latest 3.x
  3. Set DMARC to p=reject — Enforce email authentication
  4. Remove unsafe-inline — Migrate to strict nonce-based CSP
  5. Add Referrer-Policy + Permissions-Policy headers
  6. Configure /.well-known/security.txt or return 404
  7. Return 404 for blocked paths instead of 403
Created:
6/25/2026
Last Updated:
6/25/2026