Mitigation of Cross-Site Scripting Vulnerabilities in File Upload Handling

Categories: Development, TYPO3 CMS Created by Oliver Hader
Repeating and refining public service announcement TYPO3-PSA-2019-010.
  • Component Type: TYPO3 CMS
  • Subcomponent: File Upload Handling (ext:filelist)
  • Release Date: November 17, 2020
  • Affected Versions: all

Problem Description

According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts (e.g. fileadmin/ in most cases). This also includes the possibility to upload potential malicious code in HTML or SVG files (using JavaScript, injecting cross-site scripting vulnerabilities).

Custom applications might allow uploading SVG files among other image file formats in user profile avatars - just to give another example of a potential attack vector.

Per definition, this allows attackers to introduce cross-site scripting vulnerabilities.

This announcement is repeating TYPO3-PSA-2019-010.

Solution

To mitigate these potential scenarios it is advised to deny uploading files as described in TYPO3-PSA-2019-010 - which might be impractical for some sites. Alternative mitigation strategies are explained below.

Mitigation

TYPO3 versions 9.5.23 and 10.4.10 are shipped with a new security check verifying basic Content Security Policy headers (see below) for resources in fileadmin/. Since TYPO3 allows to create and compose custom applications the following mitigation strategies should be considered individually on websites in production.

Content Security Policy HTTP header

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

It is advised to add content security policy headers for public accessible directories - basically all base directories of file storages (sys_file_storage).

The following example shows the contents of a file to be located at fileadmin/.htaccess when using Apache 2.x web servers - it has to be duplicated for any other custom file storage location.

<IfModule mod_headers.c>
  <FilesMatch "\.pdf$">
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'; script-src 'none'; object-src 'self'; plugin-types application/pdf;"
  </FilesMatch>
  <FilesMatch "(?<!\.pdf)$">
    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
  </FilesMatch>
</IfModule>

This way scripts in HTML or SVG files are not executed anymore in modern browsers that support Content Security Policies.

Update December 10th, 2020
CSP rules have been updated, allowing to show PDF documents in Safari browsers again.

svg-sanitizer extension

To sanitize (and remove malicious cross-site scripting code) from user-submitted SVG files, it is suggested to make use of 3rd party extension svg_sanitizer (composer package t3g/svg-sanitizer).

This way SVG contents that are embedded in application markup (inline SVG) cannot execute scripts anymore.

Credits

Thanks to Sinan Sekerci (Dreamlab Technologies) who brought this topic again to our attention.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.