====================================================================
CERT-Renater
Note d'Information No. 2019/VULN415
_____________________________________________________________________
DATE : 17/12/2019
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running TYPO3-CORE versions prior to
8.7.30, 9.5.12, 10.2.2.
=====================================================================
https://typo3.org/security/advisory/typo3-core-sa-2019-021/
https://typo3.org/security/advisory/typo3-core-sa-2019-022/
https://typo3.org/security/advisory/typo3-core-sa-2019-023/
https://typo3.org/security/advisory/typo3-core-sa-2019-024/
https://typo3.org/security/advisory/typo3-core-sa-2019-025/
https://typo3.org/security/advisory/typo3-core-sa-2019-026/
https://typo3.org/security/advisory/typo3-psa-2019-010/
https://typo3.org/security/advisory/typo3-psa-2019-011/
_____________________________________________________________________
TYPO3-CORE-SA-2019-021: Cross-Site Scripting in Form Framework
validation handling
Categories: Development Created by Frank Nägler
It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting.
Component Type: TYPO3 CMS
Subcomponent: Form Framework (ext:form)
Release Date: December 17, 2019
Vulnerability Type: Cross-Site Scripting
Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium
Suggested CVSS v3.1:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description
It has been discovered that the output of field validation errors in the
Form Framework is vulnerable to cross-site scripting.
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to Aslam Idrisov and an anonymous contributor who reported this
issue and to TYPO3 framework merger Frank Nägler who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-CORE-SA-2019-022: Cross-Site Scripting in Link Handling
Categories: Development Created by Frank Nägler
It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting in Link Handling.
Component Type: TYPO3 CMS
Subcomponent: Link Handling (ext:core, ext:frontend)
Release Date: December 17, 2019
Vulnerability Type: Cross-Site Scripting
Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium
Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description
It has been discovered that t3:// URL handling and typolink
functionality are vulnerable to cross-site scripting. Not only regular
backend forms are affected but also frontend extensions which use the
rendering with typolink.
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to Oliver Hader who reported this issue and to TYPO3 framework
mergers Susanne Moog, Oliver Hader and Frank Nägler who analyzed and
fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-CORE-SA-2019-023: Cross-Site Scripting in Filelist Module
Categories: Development Created by Andreas Fernandez
It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting.
Component Type: TYPO3 CMS
Subcomponent: Filelist Module (ext:filelist)
Release Date: December 17, 2019
Vulnerability Type: Cross-Site Scripting
Affected Versions: 8.0.0-8.7.29, 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium
Suggested CVSS v3.1:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description
It has been discovered that the output table listing in the “Files”
backend module is vulnerable to cross-site scripting when a file
extension contains malicious sequences.
Access to the file system of the server - either directly or through
synchronization - is required to exploit the vulnerability.
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to zimmer7 GmbH who reported this issue and to TYPO3 framework
merger Andreas Fernandez who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-CORE-SA-2019-024: Directory Traversal on ZIP extraction
Categories: Development Created by Andreas Fernandez
It has been discovered that TYPO3 CMS is vulnerable to directory
traversal.
Component Type: TYPO3 CMS
Subcomponent: Extension Manager (ext:extensionmanger)
Release Date: December 17, 2019
Vulnerability Type: Directory Traversal
Affected Versions: 8.0.0-8.7.29, 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium
Suggested CVSS v3.1:
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:L/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
CVE: not assigned yet
Problem Description
It has been discovered that the extraction of manually uploaded ZIP
archives in Extension Manager is vulnerable to directory traversal.
Admin privileges are required in order to exploit this vulnerability.
Since TYPO3 v9 LTS, System Maintainer privileges are required as well.
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to Kai Ullrich (Code White GmbH) who reported this issue and to
TYPO3 framework merger Andreas Fernandez who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-CORE-SA-2019-025: SQL Injection in low-level Query Generator
Categories: Development Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to SQL injection.
Component Type: TYPO3 CMS
Subcomponent: Query Generator (ext:lowlevel)
Release Date: December 17, 2019
Vulnerability Type: SQL Injection
Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium
Suggested CVSS v3.1:
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description
Failing to properly escape user submitted content, class QueryGenerator
is vulnerable to SQL injection.
Having system extension ext:lowlevel installed and a valid backend user
having administrator privileges are required to exploit this
vulnerability.
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to Dhiraj Shrikant Datar (Zacco CyberSecurity Research Labs) who
reported this issue and to TYPO3 framework merger Frank Nägler who
fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-CORE-SA-2019-026: Insecure Deserialization in Query Generator &
Query View
Categories: Development Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to insecure
deserialization.
Component Type: TYPO3 CMS
Subcomponent: Query Generator & Query View (ext:lowlevel, ext:core)
Release Date: December 17, 2019
Vulnerability Type: Insecure Deserialization
Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0
Severity: Medium - High
Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description
It has been discovered that classes QueryGenerator and QueryView are
vulnerable to insecure deserialization.
Requirements for successfully exploiting this vulnerability (one of the
following):
having system extension ext:lowlevel (Backend Module: DB Check)
installed & valid backend user having administrator privileges
having system extension ext:sys_action installed & valid backend
user having limited privileges
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem
described.
Credits
Thanks to Daniel Windloff who reported this issue and to TYPO3 framework
merger Frank Nägler who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-PSA-2019-010: Cross-Site Scripting Vulnerabilities in File Upload
Handling
Categories: Development Created by Oliver Hader
It has been discovered that TYPO3 is susceptible to cross-site
scripting.
Component Type: TYPO3 CMS
Subcomponent: File Upload Handling (ext:core, ext:filelist,
ext:backend, ext:frontend)
Release Date: December 17, 2019
Vulnerability Type: Cross-Site Scripting
Affected Versions: All
Severity: medium
Suggested CVSS v3.1:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:T/RC:C
Problem Description
TYPO3 allows to upload files either in the backend user interface as
well as in custom developed extensions. To reduce the possibility to
upload potential malicious code TYPO3 uses the fileDenyPattern to deny
e.g. user submitted PHP scripts from being persisted. Besides that it is
possible for any editor to upload file assets using the file module
(fileadmin) or changing their avatar image shown in the TYPO3 backend.
Per default TYPO3 allows to upload and store HTML and SVG files as well
using the mentioned functionalities. Custom extension implementations
probably would also accept those files when only the fileDenyPattern is
evaluated.
Since HTML and SVG files - which might contain executable JavaScript
code per W3C standard - could be directly displayed in web clients, the
whole web application is exposed to be vulnerable concerning Cross-Site
Scripting. Currently the following scenarios are known - given an
authenticated regular editor is able to upload files using the TYPO3
backend:
directly target a potential victim to a known public resource in a
URL, e.g. /fileadmin/malicious.svg or /fileadmin/malicious.html
using the TypoScript content object “SVG” (implemented in class
ScalableVectorGraphicsContentObject) having renderMode set to inline for
SVG files (available since TYPO3 v9.0)
custom implementations that directly output and render markup of
HTML and SVG files
SVG files that are embedded using an 
tag are
not vulnerable since potential scripts are not executed in these
scenarios (see https://www.w3.org/wiki/SVG_Security). The icon API of
TYPO3 is not scope of this announcement since SVG icons need to be
registered using an individual implementation, which is not considered
as user submitted content.
Solution
The real solution to avoid user submitted content and Cross Site
Scripting in HTML and SVG files is to disable the possibility to upload
those files in general. The TYPO3 install tool provides according
settings in TYPO3_CONF_VARS/SYS which shall not contain HTML and SVG
file extensions anymore.
Default settings which would have be adjusted accordingly.
In case editors having access to the TYPO3 backend are not considered as
“trustworthy”, administrators have to manually adjust their
configuration in order to disallow using these file types in
corresponding install tool settings:
TYPO3_CONF_VARS/SYS/imagefile_ext & mediafile_ext (used to render
“media” elements, basically using ![]()
tag here)
should not contain “svg”
TYPO3_CONF_VARS/SYS/textfile_ext (allows editors to create & edit
files directly in the backend)
should at least not contain “html”, “htm”, “js”, “css”, “svg”
in case web server falls back to mime-type text/html for
arbitrary file extension this setting should be empty
TYPO3_CONF_VARS/BE/fileDenyPattern (used to deny uploads of those
file extensions in the backend and in frontend applications using File
Abstraction Layer API)
might be extended with html|htm|js|css|svg
(example:
\.(php[3-7]?|phpsh|phtml|pht|phar|shtml|cgi|html|htm|js|css|svg)(\..*)?$|\.pl$|^\.htaccess$
)
Mitigation
While disabling HTML to be uploaded might be possible, disallowing SVG
files might not be an option when being used as media assets. For this
scenario the additional TYPO3 extension svg_sanitizer has been
implemented which makes use of the 3rd party composer package
enshrined/svg-sanitize. The scope of this extension is to sanitize and
remove potential malicious code from SVG files when being uploaded which
concerns the following scenarios:
files being uploaded using the file module in the TYPO3 backend
files being uploaded using any form view in the TYPO3 backend
files being uploaded in custom implementation either using
ResourceFactory::addFile()
ResourceFactory::replaceFile()
DataHandler::checkValue_group_select_file()
GeneralUtility::upload_copy_move()
GeneralUtility::upload_to_templfile()
Besides that, the extension svg_sanitizer is shipped with an upgrade
wizard, which allows to sanitize existing SVG files which are persisted
in file storages. This can be done by invoking its upgrade wizard using
the TYPO3 install tool.
Download
The extension svg_sanitizer at least requires TYPO3 version 7.6.27,
8.7.13 or 9.2.0 in order to make use of the mentioned hooks in class
GeneralUtility. The extension can be obtained from the following
sources:
composer require t3g/svg-sanitizer
(https://packagist.org/packages/t3g/svg-sanitizer)
svg_sanitizer from TYPO3 extension repository
https://github.com/TYPO3GmbH/svg_sanitizer
Credits
Credits go to Mohamed Keffous and Nguyen Thanh Nguyen (FortiGuard Labs)
who reported the vulnerability concerning SVG files and to TYPO3
framework merger Frank Nägler for providing the additional svg_sanitizer
extension - the work time in order to achieve this has been sponsored by
TYPO3 GmbH.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
_____________________________________________________________________
Tue. 17th December, 2019
TYPO3-PSA-2019-011: Possible Insecure Deserialization in Extbase Request
Handling
Categories: Development Created by Oliver Hader
It has been discovered that TYPO3 CMS can be vulnerable to insecure
deserialization.
Component Type: TYPO3 CMS
Subcomponent: Extbase Request Handling (ext:extbase)
Release Date: December 17, 2019
Impact: Possible Insecure Deserialization
Affected Versions: All before 10.0.0
Severity: none - high
Suggested CVSS v3.1:
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C
Problem Description
It has been discovered that request handling in Extbase can be
vulnerable to insecure deserialization. User submitted payload has to be
signed with a corresponding HMAC-SHA1 using the sensitive TYPO3
encryptionKey as secret - invalid or unsigned payload is not
deserialized.
However, since sensitive information could have been leaked by accident
(e.g. in repositories or in commonly known and unprotected backup
files), there is the possibility that attackers know the private
encryptionKey and are able to calculate the required HMAC-SHA1 to allow
a malicious payload to be deserialized.
Requirements for successfully exploiting this vulnerability (all of the
following):
rendering at least one Extbase plugin in the frontend
encryptionKey has been leaked (from LocalConfiguration.php or
corresponding .env file)
Solution
Update to TYPO3 versions 8.7.30 or 9.5.12 that fix the problem
described.
Credits
Thanks to TYPO3 security team member Oliver Hader who analyzed and fixed
the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================