File system path disclosure on TYPO3 Web Content Manager

2006.01.21
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

---------------------------------------------------------------------- IRM Security Advisory No. 015 File system path disclosure on TYPO3 Web Content Manager Vulnerablity Type / Importance: Information Leakage / Medium Problem discovered: January 13th 2006 Vendor contacted: January 13th 2006 Advisory published: January 19th 2006 ---------------------------------------------------------------------- Abstract: TYPO3 is a free Open Source content management system for enterprise purposes on the web and in intranets. It offers full flexibility and extendability while featuring an accomplished set of ready-made interfaces, functions and modules. Description: IRM has discovered an information leakage vulnerability in TYPO3 that allows remote users to disclose the file system path of the application when requesting certain files. The following files were found to disclose the application path: http://hostname/typo3/t3lib/thumbs.php http://hostname/tslib/showpic.php http://hostname/t3lib/stddb/tables.php Technical details: The issue is due to the application failing to properly determine its own physical path and therefore trying to 'require()' a wrong class file. From init.php, line 71: define('PATH_thisScript',str_replace('//','/', str_replace('\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERV ER[' ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SER VER[ 'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCR IPT_ FILENAME']:$_SERVER['SCRIPT_FILENAME'])))); From the PHP manual: "You can define a constant by using the define()-function. Once a constant is defined, it can never be changed or undefined" The vulnerable files listed above fail to include init.php and the 'PATH_thisScript' variable is locally calculated: define('PATH_thisScript',str_replace('//','/', str_replace('\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERV ER[' ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SER VER[ 'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCR IPT_ FILENAME']:$_SERVER['SCRIPT_FILENAME'])))); define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript)); define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib', PATH_site.'tslib/'); At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values and any 'require()' function using these constants will not work and will disclose the file system path. Tested Versions: Version 3.7.1 Vendor & Patch Information: Contact was initially made via the TYPO3 bug reporting system on January 13th 2006. On January 14th a patch for the issue was published on the site (http://bugs.typo3.org/view.php?id=2248) Workarounds: IRM are not aware of any workarounds for this issue. Credits: Research & Advisory: Rodrigo Marcos Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at: http://www.irmplc.com/advisories.htm ---------------------------------------------------------------------- Information Risk Management Plc. Kings Building, Smith Square, London, United Kingdom SW1P 3JJ +44 (0)207 808 6420 UPDATE : On Thu, Jan 19, 2006 at 10:30:36AM -0000, Advisories wrote: > File system path disclosure on TYPO3 Web Content Manager > Vulnerablity Type / Importance: Information Leakage / Medium Hm, since when path disclosure is "medium importance"? > The following files were found to disclose the application path: > http://hostname/typo3/t3lib/thumbs.php > http://hostname/tslib/showpic.php > http://hostname/t3lib/stddb/tables.php > Tested Versions: > Version 3.7.1 The first one verified as applicable to 3.8.1 too (easily avoidable by adding IP- or user-based access restriction to /typo3 since that's administrative backend anyways), and the rest doesn't disclose anything on properly configured at least display_errors-wise webserver, which is a documented recommended (and often reiterated everywhere) PHP setup. > Workarounds: > IRM are not aware of any workarounds for this issue. Ouch. :) -- ---- WBR, Michael Shigorin <mike (at) altlinux (dot) ru [email concealed]> ------ Linux.Kiev http://www.linux.kiev.ua/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFDz+TWbsPDprYMm3IRAsTzAJ95EE3jI3vFMZfSxaeMngvXvONOjQCdEj11 M8aMdL19h8fLI3+7F4NNNXM= =WJmd -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top