Dear users of TYPO3,
It has been discovered that the default value of the TYPO3 configuration variable fileDenyPattern allows arbitrary code execution on Apache web servers. Besides that, the library fe_adminlib.inc allows Cross Site Scripting (XSS).
=== Component Type ===
TYPO3 Core
=== Affected Versions ===
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.6, 4.2
=== Vulnerability Types ===
Arbitrary code execution on Apache, Cross Site Scripting
=== Vulnerability #1 ===
Default value of fileDenyPattern allows arbitrary code execution on Apache
=== Severity ===
High
=== Problem Description ===
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, TYPO3 is susceptible to the following vulnerabilities when running on Apache web server:
1. Authenticated backend users with granted access to an arbitrary filemount are able to upload Apache configuration files (.htaccess). A malicious backend user may abuse this to create and execute files containing arbitrary code.
2. If the Apache module mod_mime is enabled on the Apache web server (default case), authenticated backend users with granted access to an arbitrary filemount can upload/create and execute arbitrary files with PHP code. The same applies to frontend users in the case that TYPO3 extensions with frontend plugins rely on t3lib_div::verifyFilenameAgainstDenyPattern() to check the validity of the file name. The TYPO3 security team is aware of a number of popular TYPO3 extensions that use this method. Besides that, TYPO3 extensions that process file uploads using the method processFiles() of the core library fe_adminLib.inc would also be vulnerable. The TYPO3 Security Team is not aware of an existing TYPO3 extension within the TYPO3 extension repository (TER) that uses the method processFiles().
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described. The new versions contain an updated default value for fileDenyPattern. If this default value is not used, there will be a warning displayed in backend module "About modules". This should remind the administrator to change the value of fileDenyPattern.
If you can't update directly, change the value of the configuration variable fileDenyPattern to the following value:
\.php[3456]?(\..*)?$|^\.htaccess$
This can be achieved by either changing the value of fileDenyPattern in the section "All configuration" within the TYPO3 install tool or by adding the line
$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']='\.php[3456]?(\..*)
?$|^\.htaccess$';
to the end of the TYPO3 configuration file typo3conf/localconf.php.
=== Background ===
To prevent backend and frontend users from uploading arbitrary PHP scripts through TYPO3 core features, each file operation (upload, creation, rename, copy, move) includes a check of the file name against the configuration variable fileDenyPattern. (Furthermore, there are more checks done using the contents of the array $TYPO3_CONF_VARS['BE']['fileExtensions'] which are not discussed here because they are not related to the problem.)
The previous value of fileDenyPattern allows to create and upload files with multiple extensions where 'php' doesn't necessarily has to be the last extension. In the case of a file with an unknown mime type the Apache module mod_mime may search for other known extensions in the file name and handle the file according to the first known extension found.
Further advice can be found in the blog entry Advice on core security issue regarding fileDenyPattern on buzz.typo3.org. There we try to describe a number of basic steps concerning how to check your TYPO3 website for the presence of a possible manipulation and how to change Apache's handling of multiple extensions.
=== Vulnerability #2 ===
fe_adminlib.inc allows Cross Site Scripting
=== Severity ===
Low
=== Problem Description ===
User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks. A TYPO3 based website will not be vulnerable to this flaw, as long as there is no frontend extension in use, that is based on fe_adminlib.inc. Popular TYPO3 extensions that use fe_adminlib.inc are:
* direct_mail_subscription
* feuser_admin
* kb_md5fepw
=== Solution ===
Update to the TYPO3 versions 4.1.7 or 4.2.1 that fix the issues described.
=== Background ===
This is a different XSS issue within fe_adminlib.inc as reported in Security Bulletin TYPO3-20061010-1.
=== General advice ===
Follow the recommendations that are given in the TYPO3 Security Cookbook [1]. Please subscribe to the typo3-announce mailing list [2] to receive future Security Bulletins via E-mail. All TYPO3 Security Bulletins are available at the Security Team pages on typo3.org [3].
=== Credits ===
Credits go to Michiel Roos and Marcus Krause who both reported issue #1 to us and to Christian Seifert, Jeroen van Iddekinge and Arnd Messer who reported issue #2 to us. The TYPO3 Security Team also wishes to thank the Security Team members Marcus Krause and Henning Pingel for fixing the issues in cooperation with the core team members Ingo Renner, Ingmar Schlecht and Michael Stucki.
[1] <http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.
pdf>
[2] <http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce>
[3] <http://typo3.org/teams/security/security-bulletins/>
Regards,
Lars Houmark
lars (at) typo3 (dot) org [email concealed]