Multiple vulnerabilities in TYPO3 Core

Advisory Content :

Dear users of TYPO3,

It has been discovered that the default value of the TYPO3 configuration
variable fileDenyPattern allows arbitrary code execution on Apache web
servers. Besides that, the library fe_adminlib.inc allows Cross Site
Scripting (XSS).

=== Component Type ===

TYPO3 Core

=== Affected Versions ===

TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2

=== Vulnerability Types ===

Arbitrary code execution on Apache, Cross Site Scripting

=== Vulnerability #1 ===

Default value of fileDenyPattern allows arbitrary code execution on Apache

=== Severity ===

High

=== Problem Description ===

Because of a not sufficiently secure default value of the TYPO3
configuration variable fileDenyPattern, TYPO3 is susceptible to the
following vulnerabilities when running on Apache web server:

1. Authenticated backend users with granted access to an arbitrary
filemount are able to upload Apache configuration files (.htaccess). A
malicious backend user may abuse this to create and execute files
containing arbitrary code.

2. If the Apache module mod_mime is enabled on the Apache web server
(default case), authenticated backend users with granted access to an
arbitrary filemount can upload/create and execute arbitrary files with PHP
code. The same applies to frontend users in the case that TYPO3 extensions
with frontend plugins rely on
t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the
file name. The TYPO3 security team is aware of a number of popular TYPO3
extensions that use this method. Besides that, TYPO3 extensions that
process file uploads using the method processFiles() of the core library
fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not
aware of an existing TYPO3 extension within the TYPO3 extension repository
(TER) that uses the method processFiles().

=== Solution ===

Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described.
The new versions contain an updated default value for fileDenyPattern. If
this default value is not used, there will be a warning displayed in
backend module "About modules". This should remind the administrator to
change the value of fileDenyPattern.

If you can't update directly, change the value of the configuration
variable fileDenyPattern to the following value:

\.php[3456]?(\..*)?$|^\.htaccess$

This can be achieved by either changing the value of fileDenyPattern in the
section "All configuration" within the TYPO3 install tool or by adding the
line

$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]?(\..*)
?$|^\.htaccess$';

to the end of the TYPO3 configuration file typo3conf/localconf.php.

=== Background ===

To prevent backend and frontend users from uploading arbitrary PHP scripts
through TYPO3 core features, each file operation (upload, creation, rename,
copy, move) includes a check of the file name against the configuration
variable fileDenyPattern. (Furthermore, there are more checks done using
the contents of the array $TYPO3_CONF_VARS['BE']['fileExtensions'] which
are not discussed here because they are not related to the problem.)

The previous value of fileDenyPattern allows to create and upload files
with multiple extensions where 'php' doesn't necessarily has to be the last
extension. In the case of a file with an unknown mime type the Apache
module mod_mime may search for other known extensions in the file name and
handle the file according to the first known extension found.

Further advice can be found in the blog entry Advice on core security issue
regarding fileDenyPattern on buzz.typo3.org. There we try to describe a
number of basic steps concerning how to check your TYPO3 website for the
presence of a possible manipulation and how to change Apache's handling of
multiple extensions.

=== Vulnerability #2 ===

fe_adminlib.inc allows Cross Site Scripting

=== Severity ===

Low

=== Problem Description ===

User input processed by fe_adminlib.inc is not being properly filtered to
prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website will not
be vulnerable to this flaw, as long as there is no frontend extension in
use, that is based on fe_adminlib.inc. Popular TYPO3 extensions that use
fe_adminlib.inc are:

* direct_mail_subscription

* feuser_admin

* kb_md5fepw

=== Solution ===

Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described.

=== Background ===

This is a different XSS issue within fe_adminlib.inc as reported in
Security Bulletin TYPO3-20061010-1.

=== General advice ===

Follow the recommendations that are given in the TYPO3 Security Cookbook
[1]. Please subscribe to the typo3-announce mailing list [2] to receive
future Security Bulletins via E-mail. All TYPO3 Security Bulletins are
available at the Security Team pages on typo3.org [3].

=== Credits ===

Credits go to Michiel Roos and Marcus Krause who both reported issue #1 to
us and to Christian Seifert, Jeroen van Iddekinge and Arnd Messer who
reported issue #2 to us. The TYPO3 Security Team also wishes to thank the
Security Team members Marcus Krause and Henning Pingel for fixing the
issues in cooperation with the core team members Ingo Renner, Ingmar
Schlecht and Michael Stucki.

[1]
<http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.
pdf>

[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>

[3] <http://typo3.org/teams/security/security-bulletins/>

Regards,

Lars Houmark

lars (at) typo3 (dot) org [email concealed]

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Multiple vulnerabilities in TYPO3 Core