TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
Dear users of TYPO3,
It has been discovered that the default value of the TYPO3 configuration
variable fileDenyPattern allows arbitrary code execution on Apache web servers.
Besides that, the library fe_adminlib.inc allows Cross Site Scripting (XSS).
=== Component Type ===
TYPO3 Core
=== Affected Versions ===
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2
=== Vulnerability Types ===
Arbitrary code execution on Apache, Cross Site Scripting
=== Vulnerability #1 ===
Default value of fileDenyPattern allows arbitrary code execution on Apache
=== Severity ===
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration
variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities
when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount
are able to upload Apache configuration files (.htaccess). A malicious backend
user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default
case), authenticated backend users with granted access to an arbitrary
filemount can upload/create and execute arbitrary files with PHP code. The same
applies to frontend users in the case that TYPO3 extensions with frontend
plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the
validity of the file name. The TYPO3 security team is aware of a number of
popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions
that process file uploads using the method processFiles() of the core library
fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware
of an existing TYPO3 extension within the TYPO3 extension repository (TER) that
uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The
new versions contain an updated default value for fileDenyPattern. If this
default value is not used, there will be a warning displayed in backend module
"About modules". This should remind the administrator to change the value of
fileDenyPattern.
If you can't update directly, change the value of the configuration variable
fileDenyPattern to the following value:
\.php[3456]?(\..*)?$|^\.htaccess$
This can be achieved by either changing the value of fileDenyPattern in the
section "All configuration" within the TYPO3 install tool or by adding the line
$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]?(\..*)?$|^\.htaccess$';
to the end of the TYPO3 configuration file typo3conf/localconf.php.
=== Background ===
To prevent backend and frontend users from uploading arbitrary PHP scripts
through TYPO3 core features, each file operation (upload, creation, rename,
copy, move) includes a check of the file name against the configuration
variable fileDenyPattern. (Furthermore, there are more checks done using the
contents of the array $TYPO3_CONF_VARS['BE']['fileExtensions'] which are not
discussed here because they are not related to the problem.)
The previous value of fileDenyPattern allows to create and upload files with
multiple extensions where 'php' doesn't necessarily has to be the last
extension. In the case of a file with an unknown mime type the Apache module
mod_mime may search for other known extensions in the file name and handle the
file according to the first known extension found.
Further advice can be found in the blog entry Advice on core security issue
regarding fileDenyPattern on buzz.typo3.org. There we try to describe a number
of basic steps concerning how to check your TYPO3 website for the presence of a
possible manipulation and how to change Apache's handling of multiple
extensions.
=== Vulnerability #2 ===
fe_adminlib.inc allows Cross Site Scripting
=== Severity ===
Low
=== Problem Description ===
User input processed by fe_adminlib.inc is not being properly filtered to
prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website will not be
vulnerable to this flaw, as long as there is no frontend extension in use, that
is based on fe_adminlib.inc. Popular TYPO3 extensions that use fe_adminlib.inc
are:
* direct_mail_subscription
* feuser_admin
* kb_md5fepw
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described.
=== Background ===
This is a different XSS issue within fe_adminlib.inc as reported in Security
Bulletin TYPO3-20061010-1.
=== General advice ===
Follow the recommendations that are given in the TYPO3 Security Cookbook [1].
Please subscribe to the typo3-announce mailing list [2] to receive future
Security Bulletins via E-mail. All TYPO3 Security Bulletins are available at
the Security Team pages on typo3.org [3].
=== Credits ===
Credits go to Michiel Roos and Marcus Krause who both reported issue #1 to us
and to Christian Seifert, Jeroen van Iddekinge and Arnd Messer who reported
issue #2 to us. The TYPO3 Security Team also wishes to thank the Security Team
members Marcus Krause and Henning Pingel for fixing the issues in cooperation
with the core team members Ingo Renner, Ingmar Schlecht and Michael Stucki.
[1] <http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>
[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>
[3] <http://typo3.org/teams/security/security-bulletins/>
Regards,
Lars Houmark
lars@xxxxxxxxx