TYPO3-CORE-SA-2018-002: Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS

Categories: TYPO3 CMS Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to Insecure Deserialization & Arbitrary Code Execution.
  • Component Type: TYPO3 CMS
  • Release Date: July 12, 2018
  • Vulnerability Type: Insecure Deserialization & Arbitrary Code Execution
  • Affected Versions: 7.0.0 to 7.6.29, 8.0.0 to 8.7.16 and 9.0.0 to 9.3.0
  • Severity: High
  • Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C
  • CVE: not assigned yet

Problem Description

Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.

Solution

Update to TYPO3 versions 7.6.30, 8.7.17 or 9.3.1 that fix the problem described. The vulnerability was solved by first denying the direct attack vector and besides that to limit invocation of Phar files to those that are located in TYPO3 extensions (path typo3conf/ext/*) by using a custom PHP stream wrapper. Phar files stored at different locations cannot be invoked anymore. Please ensure that 3rd party extensions are not storing arbitrary user submitted files in typo3conf/ext/* directories.

Credits

Thanks to Sam Thomas (www.secarma.co.uk) who reported this issue and to TYPO3 core team members Christian Kuhn and Oliver Hader who fixed the issues.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.

Update (7th September, 2018)
The PHP PharStreamWrapper has been extracted from the TYPO3 core and released as independent standalone Composer package at https://github.com/TYPO3/phar-stream-wrapper. The package is compatible to PHP v7 and PHP v5.3.