<<< Date Index >>>     <<< Thread Index >>>

TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core



Dear users of TYPO3,

It has been discovered that the default value of the TYPO3 configuration 
variable fileDenyPattern allows arbitrary code execution on Apache web servers. 
Besides that, the library fe_adminlib.inc allows Cross Site Scripting (XSS).

=== Component Type ===
TYPO3 Core

=== Affected Versions ===
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2

=== Vulnerability Types ===
Arbitrary code execution on Apache, Cross Site Scripting

=== Vulnerability #1 ===
Default value of fileDenyPattern allows arbitrary code execution on Apache

=== Severity ===
High

=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration 
variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities 
when running on Apache web server:

1. Authenticated backend users with granted access to an arbitrary filemount 
are able to upload Apache configuration files (.htaccess). A malicious backend 
user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default 
case), authenticated backend users with granted access to an arbitrary 
filemount can upload/create and execute arbitrary files with PHP code. The same 
applies to frontend users in the case that TYPO3 extensions with frontend 
plugins rely on  t3lib_div::verifyFilenameAgainstDenyPattern() to check the 
validity of the file name. The TYPO3 security team is aware of a number of 
popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions 
that process file uploads using the method processFiles() of the core library 
fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware 
of an existing TYPO3 extension within the TYPO3 extension repository (TER) that 
uses the method processFiles().

=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The 
new versions contain an updated default value for fileDenyPattern. If this 
default value is not used, there will be a warning displayed in backend module 
"About modules". This should remind the administrator to change the value of 
fileDenyPattern.

If you can't update directly, change the value of the configuration variable 
fileDenyPattern to the following value:

\.php[3456]?(\..*)?$|^\.htaccess$

This can be achieved by either changing the value of fileDenyPattern in the 
section "All configuration" within the TYPO3 install tool or by adding the line

$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]?(\..*)?$|^\.htaccess$';

to the end of the TYPO3 configuration file typo3conf/localconf.php.

=== Background ===
To prevent backend and frontend users from uploading arbitrary PHP scripts 
through TYPO3 core features, each file operation (upload, creation, rename, 
copy, move) includes a check of the file name against the configuration 
variable fileDenyPattern. (Furthermore, there are more checks done using the 
contents of the array $TYPO3_CONF_VARS['BE']['fileExtensions'] which are not 
discussed here because they are not related to the problem.)

The previous value of fileDenyPattern allows to create and upload files with 
multiple extensions where 'php' doesn't necessarily has to be the last 
extension. In the case of a file with an unknown mime type the Apache module 
mod_mime may search for other known extensions in the file name and handle the 
file according to the first known extension found.

Further advice can be found in the blog entry Advice on core security issue 
regarding fileDenyPattern on buzz.typo3.org. There we try to describe a number 
of basic steps concerning how to check your TYPO3 website for the presence of a 
possible manipulation and how to change Apache's handling of multiple 
extensions.

=== Vulnerability #2 ===
fe_adminlib.inc allows Cross Site Scripting

=== Severity ===
Low

=== Problem Description ===
User input processed by fe_adminlib.inc is not being properly filtered to 
prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website will not be 
vulnerable to this flaw, as long as there is no frontend extension in use, that 
is based on fe_adminlib.inc. Popular TYPO3 extensions that use fe_adminlib.inc 
are:

    * direct_mail_subscription
    * feuser_admin
    * kb_md5fepw

=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described.

=== Background ===
This is a different XSS issue within fe_adminlib.inc as reported in Security 
Bulletin TYPO3-20061010-1.

=== General advice ===
Follow the recommendations that are given in the TYPO3 Security Cookbook [1]. 
Please subscribe to the typo3-announce mailing list [2] to receive future 
Security Bulletins via E-mail. All TYPO3 Security Bulletins are available at 
the Security Team pages on typo3.org [3].

=== Credits ===
Credits go to Michiel Roos and Marcus Krause who both reported issue #1 to us 
and to Christian Seifert, Jeroen van Iddekinge and Arnd Messer who reported 
issue #2 to us. The TYPO3 Security Team also wishes to thank the Security Team 
members Marcus Krause and Henning Pingel for fixing the issues in cooperation 
with the core team members Ingo Renner, Ingmar Schlecht and Michael Stucki.


[1] <http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>
[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>
[3] <http://typo3.org/teams/security/security-bulletins/>

Regards,

Lars Houmark
lars@xxxxxxxxx