[TYPO3-announce] TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core

Lars Houmark lars at typo3.org
Wed Jun 11 11:14:03 CEST 2008 

Dear users of TYPO3,

It has been discovered that the default value of the TYPO3  
configuration variable fileDenyPattern allows arbitrary code execution  
on Apache web servers. Besides that, the library fe_adminlib.inc  
allows Cross Site Scripting (XSS).

=== Component Type ===
TYPO3 Core

=== Affected Versions ===
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2

=== Vulnerability Types ===
Arbitrary code execution on Apache, Cross Site Scripting

=== Vulnerability #1 ===
Default value of fileDenyPattern allows arbitrary code execution on  
Apache

=== Severity ===
High

=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3  
configuration variable fileDenyPattern, TYPO3 is susceptible to the  
following vulnerabilities when running on Apache web server:

1. Authenticated backend users with granted access to an arbitrary  
filemount are able to upload Apache configuration files (.htaccess). A  
malicious backend user may abuse this to create and execute files  
containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server  
(default case), authenticated backend users with granted access to an  
arbitrary filemount can upload/create and execute arbitrary files with  
PHP code. The same applies to frontend users in the case that TYPO3  
extensions with frontend plugins rely on   
t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of  
the file name. The TYPO3 security team is aware of a number of popular  
TYPO3 extensions that use this method. Besides that, TYPO3 extensions  
that process file uploads using the method processFiles() of the core  
library fe_adminLib.inc would also be vulnerable. The TYPO3 Security  
Team is not aware of an existing TYPO3 extension within the TYPO3  
extension repository (TER) that uses the method processFiles().

=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues  
described. The new versions contain an updated default value for  
fileDenyPattern. If this default value is not used, there will be a  
warning displayed in backend module "About modules". This should  
remind the administrator to change the value of fileDenyPattern.

If you can't update directly, change the value of the configuration  
variable fileDenyPattern to the following value:

\.php[3456]?(\..*)?$|^\.htaccess$

This can be achieved by either changing the value of fileDenyPattern  
in the section "All configuration" within the TYPO3 install tool or by  
adding the line

$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]? 
(\..*)?$|^\.htaccess$';

to the end of the TYPO3 configuration file typo3conf/localconf.php.

=== Background ===
To prevent backend and frontend users from uploading arbitrary PHP  
scripts through TYPO3 core features, each file operation (upload,  
creation, rename, copy, move) includes a check of the file name  
against the configuration variable fileDenyPattern. (Furthermore,  
there are more checks done using the contents of the array  
$TYPO3_CONF_VARS['BE']['fileExtensions'] which are not discussed here  
because they are not related to the problem.)

The previous value of fileDenyPattern allows to create and upload  
files with multiple extensions where 'php' doesn't necessarily has to  
be the last extension. In the case of a file with an unknown mime type  
the Apache module mod_mime may search for other known extensions in  
the file name and handle the file according to the first known  
extension found.

Further advice can be found in the blog entry Advice on core security  
issue regarding fileDenyPattern on buzz.typo3.org. There we try to  
describe a number of basic steps concerning how to check your TYPO3  
website for the presence of a possible manipulation and how to change  
Apache's handling of multiple extensions.

=== Vulnerability #2 ===
fe_adminlib.inc allows Cross Site Scripting

=== Severity ===
Low

=== Problem Description ===
User input processed by fe_adminlib.inc is not being properly filtered  
to prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website  
will not be vulnerable to this flaw, as long as there is no frontend  
extension in use, that is based on fe_adminlib.inc. Popular TYPO3  
extensions that use fe_adminlib.inc are:

     * direct_mail_subscription
     * feuser_admin
     * kb_md5fepw

=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues  
described.

=== Background ===
This is a different XSS issue within fe_adminlib.inc as reported in  
Security Bulletin TYPO3-20061010-1.

=== General advice ===
Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1]. Please subscribe to the typo3-announce mailing list [2]  
to receive future Security Bulletins via E-mail. All TYPO3 Security  
Bulletins are available at the Security Team pages on typo3.org [3].

=== Credits ===
Credits go to Michiel Roos and Marcus Krause who both reported issue  
#1 to us and to Christian Seifert, Jeroen van Iddekinge and Arnd  
Messer who reported issue #2 to us. The TYPO3 Security Team also  
wishes to thank the Security Team members Marcus Krause and Henning  
Pingel for fixing the issues in cooperation with the core team members  
Ingo Renner, Ingmar Schlecht and Michael Stucki.


[1] <http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf 
 >
[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3- 
announce>
[3] <http://typo3.org/teams/security/security-bulletins/>

Regards,

Lars Houmark
lars at typo3.org

More information about the TYPO3-announce mailing list