[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security BulletinTYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
Dimitri Tarassenko
mitka at actdev.com
Wed Jun 11 16:32:17 CEST 2008
На самом деле правильнее наверное запретить это все посредством FilesMatch & Deny from All в конфиге Апача:
# Security lockdown
<Directory ~ "^/var/w3/.*/(fileadmin|uploads)/" >
<FilesMatch "\.(php|phtml|php4)$" >
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Note - у меня все T3 сайты в /var/w3/<sitename>, исправьте эту часть на АБСОЛЮТНЫЙ путь к fileadmin.
У меня есть несколько клиентов которые имеют FTP доступ в определенный подкаталог /fileadmin (чтобы закачивать видео) - там так ограничить через FileDenyPattern. не получится.
В добавок - проверьте есть ли у вас mod_perl или mod_python, потому как их даже после такого фикса можно будет аплоадить и, возможно, исполнять.
Dimitri Tarassenko
> -----Original Message-----
> From: typo3-russia-bounces at lists.netfielders.de
> [mailto:typo3-russia-bounces at lists.netfielders.de] On Behalf
> Of Michael Shigorin
> Sent: Wednesday, June 11, 2008 6:00 AM
> To: typo3-russia at lists.netfielders.de
> Subject: [TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3
> Security BulletinTYPO3-20080611-1: Multiple vulnerabilities
> in TYPO3 Core
>
> Здравствуйте.
> Рекомендуется обновить TYPO3 до 4.1.7/4.2.1, как вариант --
> изменить значение переменной fileDenyPattern
> в Install Tool -> All Configuration на
>
> \.php[3456]?(\..*)?$|^\.htaccess$
>
> или добавить в конец typo3conf/localconf.php такую строчку:
>
> $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[34
> 56]?(\..*)?$|^\.htaccess$';
>
> Иначе при использовании Apache и разрешённой обработке файлов
> .htaccess пользователи BE с доступом к какому-либо filemount
> могут добиться выполнения произвольного кода в контексте
> веб-сервера; при включенном (как по умолчанию на Apache 1.3/2.x)
> модуле mod_mime возможно и выполнение кода произвольными
> пользователями сайта, имеющими доступ к ряду плагинов посредством
> форм закачки файлов.
>
> ----- Forwarded message from Lars Houmark <lars/typo3.org> -----
>
> Date: Wed, 11 Jun 2008 04:14:03 -0500
> From: Lars Houmark <lars/typo3.org>
> To: TYPO3 Announce List <typo3-announce/lists.netfielders.de>
> Subject: [TYPO3-announce] TYPO3 Security Bulletin
> TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
>
> Dear users of TYPO3,
>
> It has been discovered that the default value of the TYPO3
> configuration variable fileDenyPattern allows arbitrary code
> execution
> on Apache web servers. Besides that, the library fe_adminlib.inc
> allows Cross Site Scripting (XSS).
>
> === Component Type ===
> TYPO3 Core
>
> === Affected Versions ===
> TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2
>
> === Vulnerability Types ===
> Arbitrary code execution on Apache, Cross Site Scripting
>
> === Vulnerability #1 ===
> Default value of fileDenyPattern allows arbitrary code execution on
> Apache
>
> === Severity ===
> High
>
> === Problem Description ===
> Because of a not sufficiently secure default value of the TYPO3
> configuration variable fileDenyPattern, TYPO3 is susceptible to the
> following vulnerabilities when running on Apache web server:
>
> 1. Authenticated backend users with granted access to an arbitrary
> filemount are able to upload Apache configuration files
> (.htaccess). A
> malicious backend user may abuse this to create and execute files
> containing arbitrary code.
> 2. If the Apache module mod_mime is enabled on the Apache web server
> (default case), authenticated backend users with granted
> access to an
> arbitrary filemount can upload/create and execute arbitrary
> files with
> PHP code. The same applies to frontend users in the case that TYPO3
> extensions with frontend plugins rely on
> t3lib_div::verifyFilenameAgainstDenyPattern() to check the
> validity of
> the file name. The TYPO3 security team is aware of a number
> of popular
> TYPO3 extensions that use this method. Besides that, TYPO3
> extensions
> that process file uploads using the method processFiles() of
> the core
> library fe_adminLib.inc would also be vulnerable. The TYPO3 Security
> Team is not aware of an existing TYPO3 extension within the TYPO3
> extension repository (TER) that uses the method processFiles().
>
> === Solution ===
> Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues
> described. The new versions contain an updated default value for
> fileDenyPattern. If this default value is not used, there will be a
> warning displayed in backend module "About modules". This should
> remind the administrator to change the value of fileDenyPattern.
>
> If you can't update directly, change the value of the configuration
> variable fileDenyPattern to the following value:
>
> \.php[3456]?(\..*)?$|^\.htaccess$
>
> This can be achieved by either changing the value of fileDenyPattern
> in the section "All configuration" within the TYPO3 install
> tool or by
> adding the line
>
> $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]?
> (\..*)?$|^\.htaccess$';
>
> to the end of the TYPO3 configuration file typo3conf/localconf.php.
>
> === Background ===
> To prevent backend and frontend users from uploading arbitrary PHP
> scripts through TYPO3 core features, each file operation (upload,
> creation, rename, copy, move) includes a check of the file name
> against the configuration variable fileDenyPattern. (Furthermore,
> there are more checks done using the contents of the array
> $TYPO3_CONF_VARS['BE']['fileExtensions'] which are not
> discussed here
> because they are not related to the problem.)
>
> The previous value of fileDenyPattern allows to create and upload
> files with multiple extensions where 'php' doesn't
> necessarily has to
> be the last extension. In the case of a file with an unknown
> mime type
> the Apache module mod_mime may search for other known extensions in
> the file name and handle the file according to the first known
> extension found.
>
> Further advice can be found in the blog entry Advice on core
> security
> issue regarding fileDenyPattern on buzz.typo3.org. There we try to
> describe a number of basic steps concerning how to check your TYPO3
> website for the presence of a possible manipulation and how
> to change
> Apache's handling of multiple extensions.
>
> === Vulnerability #2 ===
> fe_adminlib.inc allows Cross Site Scripting
>
> === Severity ===
> Low
>
> === Problem Description ===
> User input processed by fe_adminlib.inc is not being properly
> filtered
> to prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website
> will not be vulnerable to this flaw, as long as there is no frontend
> extension in use, that is based on fe_adminlib.inc. Popular TYPO3
> extensions that use fe_adminlib.inc are:
>
> * direct_mail_subscription
> * feuser_admin
> * kb_md5fepw
>
> === Solution ===
> Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues
> described.
>
> === Background ===
> This is a different XSS issue within fe_adminlib.inc as reported in
> Security Bulletin TYPO3-20061010-1.
>
> === General advice ===
> Follow the recommendations that are given in the TYPO3 Security
> Cookbook [1]. Please subscribe to the typo3-announce mailing
> list [2]
> to receive future Security Bulletins via E-mail. All TYPO3 Security
> Bulletins are available at the Security Team pages on typo3.org [3].
>
> === Credits ===
> Credits go to Michiel Roos and Marcus Krause who both reported issue
> #1 to us and to Christian Seifert, Jeroen van Iddekinge and Arnd
> Messer who reported issue #2 to us. The TYPO3 Security Team also
> wishes to thank the Security Team members Marcus Krause and Henning
> Pingel for fixing the issues in cooperation with the core
> team members
> Ingo Renner, Ingmar Schlecht and Michael Stucki.
>
>
> [1]
> <http://typo3.org/fileadmin/security-team/typo3_security_cookb
ook_v-0.5.pdf>
> [2]
> <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>
> [3] <http://typo3.org/teams/security/security-bulletins/>
>
> Regards,
>
> Lars Houmark
> lars/typo3.org
>
>
>
> _______________________________________________
> TYPO3-announce mailing list
> TYPO3-announce/lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce
>
> ----- End forwarded message -----
>
> --
> ---- WBR, Michael Shigorin <mike at altlinux.ru>
> ------ Linux.Kiev http://www.linux.kiev.ua/
> _______________________________________________
> TYPO3-russia mailing list
> TYPO3-russia at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-russia
>
More information about the TYPO3-russia
mailing list