- Release Date: March 10, 2020
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Remote Code Execution, Arbitrary File Upload, Path Traversal and Broken Access Control
- Affected Versions: 1.0.3 and below
- Severity: Critical
- Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE: not assigned yet
Problem Description
An authenticated backend user can use the backend module to upload arbitrary files resulting in Remote Code Execution. Also, the backend module is susceptible to path traversal which allows an authenticated backend user to upload and overwrite files in all locations the webserver has access to.
The extension includes the PHP script “upload.php”, which is located in the extension itself and copied to fileadmin/user_upload/magalone/ subdirectories when using the backend module of the extension. This script can be used to upload arbitrary image- and pdf-files without authentication.
Default actions of the TYPO3 Extension Builder are available in frontend context allowing to delete various flipbook records on websites, where [FE][pageNotFoundOnCHashError] is disabled.
Solution
An updated version 1.0.5 is available from the TYPO3 extension manager and at
https://extensions.typo3.org/extension/download/magaloneflipbook/1.0.5/zip
Users of the extension are advised to update the extension as soon as possible.
Important: Updating the extension does not fully resolve all problems. Users of the extension must manually delete all occurrences of the file “upload.php” in “fileadmin/user_upload/magalone/” subdirectories.
Credits
Thanks to Security Team Members Georg Ringer and Oliver Hader who discovered and reported the vulnerabilities and to soft-evolution Gmbh & Co.KG for providing an updated version of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.