SQL injection and persistent XSS

SEC Consult Vulnerability Lab Security Advisory < 20140430-0 >

=======================================================================

title: SQL injection and persistent XSS

product: Typo3 3rd party extension si_bibtex

vulnerable version: si_bibtex 0.2.3

fixed version: -

impact: critical

homepage: typo3.org/extensions/repository/view/si_bibtex

found: 2013-09-24

by: B. Schildendorfer

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"TYPO3 is an enterprise-class, Open Source CMS (Content Management System),

used internationally to build and manage websites of all types, from small

sites for non-profits to multilingual enterprise solutions for large

corporations."

 

Source: typo3.org/about/typo3-the-cms/

 

 

Software description:

---------------------

"'BibTex Publications' allows you to import Bibtex files from the front-end

and store them in a sysfolder. The front-end plug-in generates list and single

views of entries and provides a simple search tool. It allows also the

automatic import of BibTex files"

 

Source: docs.typo3.org/typo3cms/extensions/si_bibtex/0.2.3/

 

 

Business recommendation:

------------------------

By exploiting this SQL injection vulnerability, an attacker is able to gain

full access to the Typo3 database. He can use this access to crack the stored

backend user passwords which would then lead to a complete system compromise

on success. Depending on the location where the extension is used in the web

application, this may be possible by an unauthenticated attacker.

 

It is highly recommended to uninstall the si_bibtex extension until the

vulnerabilities are fixed.

 

 

Vulnerability overview/description:

-----------------------------------

The vulnerable plugin (si_bibtex) is used to import, export and view

bibliography files used for scientific citation. Flaws in the input validation

of this software lead to SQL injection and persistent cross-site scripting

vulnerabilities.

 

1) SQL injection

 

The bibtex "search" and "list" allows a user to display specific bibtex items.

Due to insufficient input validation of a parameter, an attacker can inject

into the SQL query statement. By exploiting this vulnerability, an

attacker gains access to all records stored in the database with the

privileges of the Typo3 database user.

 

2) Persistent cross-site scripting

 

The bibtex "import" functionality is prone to persistent cross-site scripting

attacks. The vulnerability can be used to include HTML or JavaScript code to

the affected web page. The imported XSS code will be displayed to every user

who calls the "search" or "list" functionality of this extension.

 

 

 

Proof of concept:

-----------------

No proof of concept code available due to missing solution/workaround.

 

 

Vulnerable / tested versions:

-----------------------------

The following version of the si_bibtex extension has been tested, which was

the most recent version at the time of discovery.

si_bibtex 0.2.3

 

 

Vendor contact timeline:

------------------------

2013-11-05: Contacting vendor through security@typo3.org

2013-11-06: Got PGP key from vendor

2013-11-11: Sent the advisory

2014-02-23: Vendor: patch delayed

2014-03-13: Deadline defined for 2014-04-11

2014-04-11: Postponing release of advisory, giving Typo3 team some more time

2014-04-30: Release of security advisory, no patch available

 

 

Solution:

---------

No patch available.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF B. Schildendorfer / @2014