[Typo3-dev] TYPO3 backend "Directory Traversal Attack"

Kasper Skårhøj kasper2005 at typo3.com
Wed Nov 2 10:33:27 CET 2005 

Hi Developers.

Benoit POUYET has made me aware of a security problem called "Directory 
Traversal Attack". The problem seems to be that allowing "../" in URLs could 
be considered an attack on server security. The advice is to turn of support 
for "../" in URLs. However, this completely paralyses the TYPO3 backend where 
icons, stylesheets etc. are all prefixed with the $BACK_PATH-variable which 
is typically configured with "../../../../" or the like.

Benoit says that more and more security concerned scenarios might shut down 
this functionality and so we should be concerned with how to address it in 
TYPO3. Does any of you know about this issue and have suggestions for its 
solution?

Here is my response to benoit and relevant parts of our conversation:

-------------------------------------


Hi Benoit,

(I took the liberty to involve the dev-list since I find no confidential 
information in our mail exchange)

Sigh....
If only all these security related concerns were restrictions from the 
beginning of the web and development of TYPO3 it would be no problem, but oh 
boy how I hate it when someone comes along years after and say "yeah, we 
cannot do this little thing anymore" and they don't realize that it affects 
millions of man-hours across the globe to change software... Its really 
horrible and impossible to predict what is next that you can't do. And of 
course they must be completely nuts to think that it can be fixed in three 
days - they spend years on the Y2K issues, right? This is almost same in 
scope. End of rant.

The general solution would be to prefix media files and link references with 
the absolute URL of course. However it is not so easy since $BACK_PATH serves 
a double role: Both as a prefix when including files inside PHP and as a 
prefix for URL references.

However, many times when files are prefixed with the backpath it is taken from 
"$this->doc->backPath". If this is exclusively used for URLs (haven't tested) 
we could change this to absolute URL. Unfortunately the $this->doc->backPath 
variable is set in each module as a public variable - and not using PHP5 we 
cannot call a function upon setting it. So it means changing every single 
module - and we even have no certainty that it will solve the whole problem

Another solution is this; 
Inside init.php we start output buffering.
In the end of each backend script AFTER the function call typically seen as 
"$SOBE->printContent()" we call something like 
"t3lib_BEfunc::convRelUrls2AbsAndFlushBuffer()" which will parse all the HTML 
of the backend module. This solution still requires that we insert a line in 
every single backend script but it is a very systematic change (always end of 
script) but it will work with 100% certainty and not mess up the internal use 
of BACK_PATH. On the other hand it will be slow.

Finally, I'm not sure if PHP has some functions you can always ask to call at 
the end of the script for parsing the output buffer. Anyone?

Finally, one could imagine that an Apache module exists that will do the 
rel2abs conversion of URLs in the output HTML code with lightening-speed 
C-code? 

- kasper



On Wednesday 02 November 2005 08:13, you wrote:
> Hi Kasper,
> it's the backend. in fact we control urls in frontend, i agree that we can
> manage them by anything tip.
> But the administration in typo3 is more in the core and i'm afraid that
> its a more complex (you mentionned that).
> So i don't know how we can solve this. I think that major companies will
> increase security like us and typo3 will not be compliant with new rules.
> any idea from you or the community will be cool. I'm searching too from my
> side.
>
> Benoît
>
> Kasper Skårhøj <kasper2005 at typo3.com> a écrit sur 11/01/2005 01:42:13 PM :
> > Hi Benoit,
> >
> > Are we talking about the frontend (your website) or the backend?
> >
> > If frontend a quick solution could be to parse the output and convert
>
> all
>
> > relative references to absolute. In backend I fear it will be far more
> > complex.
> >
> > There already is a function which resolves a ..-path. It is called
> > resolveBackPath($pathStr) and if the input string (assumed relative) is
> > prefixed with the absolute URL it will remove ../ sections just fine.
> >
> > - kasper
> >
> > On Tuesday 01 November 2005 08:19, you wrote:
> > > Hi Kasper,
> > > we have a problem with the backend since the IT increased security.
> > > You are using some " /../../  " in urls and the security device
>
> considers
>
> > > this as an attack, called "Directory Traversal Attack".
> > > Extrated from the security guide:
>
> ***********************************************************************
>
> > > Directory traversal attack, sometimes called a dot dot attack is a
>
> method
>
> > > to bypass the server's directory access lists restrictions. There are
> > > several techniques to launch a directory traversal attack: One can
>
> simply
>
> > > try to fetch files located at different directories using a specific
> > > directory structure. Others, more advanced attackers, can try to use
> > > encoding in order to run attacks known as "Encoded Backslash Directory
> > > Traversal Vulnerability".
>
> ***********************************************************************
>
> > > i don't if you can change this to be more security safe. but the IT
> > > disables this feature and will put it again in 2or 3 days.
> > > What do you think about that ?
> > > I know that it's a boring thing, sorry for that.
> > > i'm not happy and i said that the security department has to give us
> > > security guide to not discover the problem and prevent them.
> > >
> > > Benoît
> > >

More information about the TYPO3-dev mailing list