[28.02.03] Typo3 3.5b5 Security Check Results
Security REPORT TYPO3
Product: Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too)
Vendor: Typo3 (http://www.typo3.com)
Vendor-Status: email@example.com informed / New Version availiable
-proof of file-existense
-arbitrary file retrieval
-arbitrary command execution
-CrossSiteScripting / privilege escalation / cookie-theft
-install/config files and scripts within webroot
Severity: MEDIUM to HIGH
Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2
Taken from www.typo3.com
TYPO3 is a free Open Source content management system for enterprise purposes
on the web and in intranets. It offers full flexibility and extendability while
featuring an accomplished set of ready-made interfaces, functions and modules.
0) CLIENT-SIDE DATA-OBFUSCATION
form-fields are obfuscated using client-side java-script routines.
after the fields are joined a java-script creates MD5-hashes and
submits the form.
examples: index.php (account-data), showpic.php(name-checksum)
attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent
several test-, class- and library-scripts can be found within webroot.
some of them can be forced to produce runtime errors and output their
2) PROOF OF FILE-EXISTENZ
"showpic.php" and "thumbs.php" allow an attacker to check the existense of
combined with file-enumeration methods it is possible to reconstruct parts
of the directory- and filesystem - structure.
example on howto check for existing files with attached perl-script "showpic.pl":
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
3) CROSS SITE SCRIPTING / COOKIE-THEFT
all system and login-errors are saved in the typo3-database.
administrators can view all the erroneous data.
since this data is not being checked for XSS-content it is possible to include
client-side script(java-script)-tags in these entries.
every time the admins view their logs these scripts will be run on the admins
web-browser which leads to a typical XSS-bug.
thus making it possible to steal the admins-cookies or let him open a new
user-account wihout his knowledge.
example with the attached "typo.pl" - perlscript:
sh> typo.pl localhost '><script>alert(document.cookie)</script>
viewing the logfiles will execute the script.
4) ARBITRARY FILE-RETRIEVAL
the "dev/translations.php" - script does not check the
ONLY-parameter for malicious values.
a relative path combined with a Nullbyte lead to the inclusion of the
5) ARBITRARY COMMAND EXECUTION
extends vulnerability number 4):
if the included file contains php-source code it will be executed.
thus allowing an attacker to execute operating-system commands and
at long sight escalate his privileges.
a file for placing our malicious php-source is needed.
if there is no file we have write-access we still can use the websevers-logfiles.
the following http-request:
localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
creates this entry:
[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/' >> ./x.php` ?>
in a typicall apache - error_log file.
using the method discussed under 4) the following http-request:
will include the apach error_log in our output and execute our php-commands.
as a result we will find x.php in our "/dev" directory.
6) SCRIPTS AND DIRECTORIES IN WEBROOT
a couple of scripts, libraries, files and directories can be found within typo3s
"/install" is improper protected and vulnerable to brute-force attacks.
"/fileadmin" directory reveals log-files and demo-scripts
"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files
the serious vulnerabilities rely on the "/dev" (developer?) - directory.
scripts within this directory can be found in many/most production-environments!
1) remove "/install" directory
2) remove "/dev" directory
2) Choose strong administrator-passwords
3) showpic.php and thumbs.php must be patched.
3) remove all demo-directories and protect "/fileadmin" and "/typo3conf"
EOF Martin Eiszner / @2002WebSec.org
SEC Consult Unternehmensberatung GmbH / Martin Eiszner
Austria / EUROPE
m dot eiszner at sec-consult dot com