Report of Web Camp Venlo 2023
Web Camp Venlo 2023 spanned three days, each with a different focus, catering to a particular audience and with specific intentions. While the first…
TYPO3 allows to upload files either in the backend user interface as well as in custom developed extensions. To reduce the possibility to upload potential malicious code TYPO3 uses the fileDenyPattern to deny e.g. user submitted PHP scripts from being persisted. Besides that it is possible for any editor to upload file assets using the file module (fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well using the mentioned functionalities. Custom extension implementations probably would also accept those files when only the fileDenyPattern is evaluated.
Since HTML and SVG files - which might contain executable JavaScript code per W3C standard - could be directly displayed in web clients, the whole web application is exposed to be vulnerable concerning Cross-Site Scripting. Currently the following scenarios are known - given an authenticated regular editor is able to upload files using the TYPO3 backend:
SVG files that are embedded using an <img src=”malicious.svg”> tag are not vulnerable since potential scripts are not executed in these scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of TYPO3 is not scope of this announcement since SVG icons need to be registered using an individual implementation, which is not considered as user submitted content.
The real solution to avoid user submitted content and Cross Site Scripting in HTML and SVG files is to disable the possibility to upload those files in general. The TYPO3 install tool provides according settings in TYPO3_CONF_VARS/SYS which shall not contain HTML and SVG file extensions anymore.
In case editors having access to the TYPO3 backend are not considered as “trustworthy”, administrators have to manually adjust their configuration in order to disallow using these file types in corresponding install tool settings:
While disabling HTML to be uploaded might be possible, disallowing SVG files might not be an option when being used as media assets. For this scenario the additional TYPO3 extension svg_sanitizer has been implemented which makes use of the 3rd party composer package enshrined/svg-sanitize. The scope of this extension is to sanitize and remove potential malicious code from SVG files when being uploaded which concerns the following scenarios:
Besides that, the extension svg_sanitizer is shipped with an upgrade wizard, which allows to sanitize existing SVG files which are persisted in file storages. This can be done by invoking its upgrade wizard using the TYPO3 install tool.
The extension svg_sanitizer at least requires TYPO3 version 8.7.13 or 9.2.0 in order to make use of the mentioned hooks in class GeneralUtility. The extension can be obtained from the following sources:
Credits go to Mohamed Keffous and Nguyen Thanh Nguyen (FortiGuard Labs) who reported the vulnerability concerning SVG files and to TYPO3 framework merger Frank Nägler for providing the additional svg_sanitizer extension - the work time in order to achieve this has been sponsored by TYPO3 GmbH.
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
Web Camp Venlo 2023 spanned three days, each with a different focus, catering to a particular audience and with specific intentions. While the first…
The last sprint release of the v12 series is out. Today we proudly released TYPO3 version 12.3, including all features we have planned for the…
On 20 and 21 April 2023, members of at least four open-source projects will meet at the TYPO3 office in Düsseldorf, Germany, to bring PHP-based…
Be part of an important moment in the democratic life of the TYPO3 project. The next TYPO3 Association General Assembly will be held 18 April 2023.…
The nomination phase for the upcoming elections to the TYPO3 Association Board and Business Control Committee (BCC) has ended and we're happy to…
With our announcement to introduce Content Blocks as a TYPO3 Core system extension at the TYPO3 Developer Days 2022, we have been very busy to make it…