Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core

Categories: TYPO3 CMS Created by Helmut Hummel
It has been discovered that TYPO3 Core has Incomplete Access Management and is vulnerable to Remote Code Execution

Component Type: TYPO3 Core

Vulnerability Types: Cross-Site Scripting, Remote Code Execution

Overall Severity: Critical

Release Date: September 4, 2013

 

Vulnerable subcomponent: File handling / File Abstraction Layer

Vulnerability Type: Incomplete Access Management

Affected Versions: All versions from 6.0.0 up to the development branch of 6.2

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-4320

Problem Description: TYPO3 comes with the possibility to restrict editors to certain file actions (copy, delete, move etc.) and to restrict these actions to be performed in certain locations (file mounts). This permission handling was only partly implemented with the introduction of the File Abstraction Layer (FAL). The file action permissions that can be set in backend user and group records were not respected and users could break out of file mounts by crafting URLs. Thus, unprivileged users could create or read arbitrary files within or outside the document root.

Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version! It is important to clear all caches (clear cache all in the backend or deleting the complete typo3temp/Cache directory) for the changes to take effect after the TYPO3 source files have been updated!

Notes: Administrators are advised to set file permissions for backend users or groups by using user TS Config instead of using the file permission check boxes in the user or group records. This allows more fine grained control for single file action permissions.

Example for setting default permissions for users or groups in User TSConfig:

permissions.file.default {
 addFile = 0
 readFile = 1
 writeFile = 1
 copyFile = 1
 moveFile = 1
 renameFile = 0
 unzipFile = 0
 deleteFile = 0 
 addFolder = 1
 readFolder = 1
 writeFolder = 1
 copyFolder = 1
 moveFolder = 0
 renameFolder = 0
 deleteFolder = 1
 recursivedeleteFolder = 1
 } 

Example setting permissions for storage with ID 1 (overriding default settings):

permissions.file.storage.1 {
 addFile = 1
 readFile = 1
 writeFile = 1
 copyFile = 1
 moveFile = 1
 renameFile = 0
 unzipFile = 0
 deleteFile = 0 
 addFolder = 1
 readFolder = 1
 writeFolder = 1
 copyFolder = 1
 moveFolder = 0
 renameFolder = 0
 deleteFolder = 1
 recursivedeleteFolder = 1
 } 

Credits: Credits go to Sebastian Nerz who discovered and reported the issues, Steffen Ritter and Helmut Hummel for creating the fixes and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer and Ernesto Baschny for testing.

 

Vulnerable subcomponent: File Abstraction Layer

Vulnerability Type: Remote Code Execution

Affected Versions: All versions from 6.0.0 up to the development branch of 6.2

Severity: Critical

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C (What's that?)

CVE: CVE-2013-4321

Problem Description: The check for denied file extensions implemented in the File Abstraction Layer as mentioned in advisory TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for editors to rename files to have denied file extensions by inserting special characters that were removed at a later point. This (again) allowed authenticated editors to forge php files with arbitrary code, which can then be executed in web server's context.

Solution: Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version!

Credits: Credits go to Sascha Egerer who discovered and reported the issue. 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.