TYPO3-EXT-SA-2021-017: Multiple vulnerabilities in extension "pixx.io integration for TYPO3 (DAM)" (pixxio)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension"pixx.io integration for TYPO3 (DAM)" (pixxio) is susceptible to Server-side request forgery, Remote Code Execution, Broken Access Control and vulnerable 3rd Party Components.
  • Release Date: November 10, 2021
  • Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
  • Component: "pixx.io integration for TYPO3 (DAM)" (pixxio)
  • Vulnerability Type: Server-side request forgery, Remote Code Execution, Broken Access Control and vulnerable 3rd Party Components.
  • Affected Versions: 1.0.4 and below
  • Severity: High
  • Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C
  • References: CVE-2021-43562 and CVE-2021-43563

Problem Description

The extension fails to restrict the image download to the configured pixx.io DAM URL resulting in Server-side request forgery. As a result of the Server-side request forgery vulnerability, an attacker can download various content from a remote location and save it to a user controlled filename which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit both vulnerabilities.

The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This allows an attacker to download various media files from the DAM system.

Finally the extension bundles the 3rd Party Component jQuery 3.3.1  which contains known security vulnerabilities.

Solution

An updated version 1.0.6 is available from the TYPO3 extension manager and at
https://extensions.typo3.org/extension/download/pixxio/1.0.6/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Andrey Basarygin, Andrey Guzei, Mikhail Khramenkov, Alexander Sidukov and Maxim Teplykh from Solar Security  for reporting the SSRF issue, to Security Team Member Torben Hansen for finding the additional issues and to Christoph Trautbeck for providing an updated version of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.