====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN271
_____________________________________________________________________

DATE                : 14/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TYPO3-CORE versions prior to
                                   9.5.17, 10.4.2.

=====================================================================
https://typo3.org/security/advisory/typo3-core-sa-2020-001
https://typo3.org/security/advisory/typo3-core-sa-2020-002
https://typo3.org/security/advisory/typo3-core-sa-2020-003
https://typo3.org/security/advisory/typo3-core-sa-2020-004
https://typo3.org/security/advisory/typo3-core-sa-2020-005
https://typo3.org/security/advisory/typo3-core-sa-2020-006
_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset

 Categories: Development Created by Oliver Hader


It has been discovered that TYPO3 CMS is susceptible to information
disclosure.

    Component Type: TYPO3 CMS
    Subcomponent: Password Reset (ext:backend)
    Release Date: May 12, 2020
    Vulnerability Type: Information Disclosure
    Affected Versions: 10.4.0-10.4.1
    Severity: Low
    Suggested CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
    References: CVE-2020-11063, CWE-204


Problem Description

It has been discovered that time-based attacks can be used with the
password reset functionality for backend users. This allows an attacker
to verify whether a backend user account with a given email address
exists or not.


Solution

Update to TYPO3 version 10.4.2 that fixes the problem described.


Credits

Thanks to Michael Kasten who reported this issue and to TYPO3 merger
Frank Nägler who fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.


_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine
Categories: Development Created by Oliver Hader


 It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting.

    Component Type: TYPO3 CMS
    Subcomponent: Form Engine (ext:backend)
    Release Date: May 12, 2020
    Vulnerability Type: Cross-Site Scripting
    Affected Versions: 9.0.0-9.5.16, 10.0.0-10.4.1
    Severity: Medium
    Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
    References: CVE-2020-11064, CWE-79


Problem Description

It has been discovered that HTML placeholder attributes containing data
of other database records are vulnerable to cross-site scripting. A
valid backend user account is needed to exploit this vulnerability.


Solution

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem
described.


Credits

Thanks to Florian Weiss who reported this issue and to TYPO3 active
contributor Markus Klein who fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.


_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling
Categories: Development Created by Oliver Hader


It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting.

    Component Type: TYPO3 CMS
    Subcomponent: Link Handling (ext:frontend)
    Release Date: May 12, 2020
    Vulnerability Type: Information Disclosure
    Affected Versions: 9.5.12-9.5.16, 10.2.0-10.4.1
    Severity: Medium
    Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
    References: CVE-2020-11065, CWE-79


Problem Description

It has been discovered that link tags generated by typolink
functionality are vulnerable to cross-site scripting - properties being
assigned as HTML attributes have not been parsed correctly.


Solution

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem
described.


Credits

Thanks to Josef Glatz who reported this issue and to TYPO3 security team
member Oliver Hader who fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.

_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when
being unserialized
Categories: Development Created by Oliver Hader


 It has been discovered that TYPO3 CMS is vulnerable to insecure
deserialization.

    Component Type: TYPO3 CMS
    Subcomponent: Core (ext:core)
    Release Date: May 12, 2020
    Vulnerability Type: Insecure Deserialization
    Affected Versions: 9.0.0-9.5.16, 10.0.0-10.4.1
    Severity: High
    Suggested CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H/E:F/RL:O/RC:C
    References: CVE-2020-11066, CWE-502


Problem Description

Calling unserialize() on malicious user-submitted content can result in
the following scenarios:

    trigger deletion of arbitrary directory in file system (if writable
for web server)
    trigger message submission via email using identity of web site
(mail relay)

Another insecure deserialization vulnerability is required to actually
exploit mentioned aspects.


Solution

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem
described.


Credits

Thanks to TYPO3 security team member Oliver Hader who reported and fixed
the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.

_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings
Categories: Development Created by Oliver Hader


It has been discovered that TYPO3 CMS is vulnerable to insecure
deserialization.

    Component Type: TYPO3 CMS
    Subcomponent: Backend User Interface (ext:backend)
    Release Date: May 12, 2020
    Vulnerability Type: Insecure Deserialization
    Affected Versions: 9.0.0-9.5.16, 10.0.0-10.4.1
    Severity: High
    Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
    References: CVE-2020-11067, CWE-502


Problem Description

It has been discovered that backend user settings (in $BE_USER->uc) are
vulnerable to insecure deserialization. In combination with
vulnerabilities of 3rd party components this can lead to remote code
execution. A valid backend user account is needed to exploit this
vulnerability.


Solution

Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem
described.


Credits

Thanks to TYPO3 security team member Oliver Hader who reported and fixed
the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.

_____________________________________________________________________

Tue. 12th May, 2020
TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface
Categories: Development Created by Oliver Hader


It has been discovered that TYPO3 CMS is vulnerable to same-site request
forgery.



    Component Type: TYPO3 CMS
    Subcomponent: Backend User Interface & Install Tool (ext:backend,
ext:backend)
    Release Date: May 12, 2020
    Vulnerability Type: Same-Site Request Forgery
    Affected Versions: 9.0.0-9.5.16, 10.0.0-10.4.1
    Severity: High
    Suggested CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
    References: CVE-2020-11069, CWE-352, CWE-346


Problem Description

It has been discovered that the backend user interface and install tool
are vulnerable to same-site request forgery. A backend user can be
tricked into interacting with a malicious resource an attacker
previously managed to upload to the web server - scripts are then
executed with the privileges of the victims’ user session.

In a worst case scenario new admin users can be created which can
directly be used by an attacker. The vulnerability is basically a cross-
site request forgery (CSRF) triggered by a cross-site scripting
vulnerability (XSS) - but happens on the same target host - thus, it’s
actually a same-site request forgery (SSRF).

Malicious payload such as HTML containing JavaScript might be provided
by either an authenticated backend user or by a non-authenticated user
using a 3rd party extension - e.g. file upload in a contact form with
knowing the target location.

The attacked victim requires an active and valid backend or install tool
user session at the time of the attack to be successful.


Solution

Update to TYPO3 versions 9.5.17 or 10.4.2 that mitigates the problem
described.

The mitigation to this scenario is handled by enforcing a proper HTTP
Referer header to ensure a previous authenticated request has originated
from the TYPO3 backend user interface or install tool. It does not
address the potential availability of cross-site scripting, but aims to
mitigate the impact of executing non-authorized actions with the
attacked backend user session.

Strong security defaults - Manual actions required

Mentioned HTTP Referer header is enforced by default for relevant URIs.
Some proxy servers might remove this HTTP header which would make  it
necessary to deactivate this protection mechanism. This can be done by
disabling $GLOBALS['TYPO3_CONF_VARS']['SYS]['features']
[‘security.backend.enforceReferrer’] either using Install Tool’s feature
toggles or according deployment techniques.


Additional Considerations

The deployment of additional mitigation techniques is suggested as
described below.


Sudo Mode Extension

This TYPO3 extension intercepts modifications to security relevant
database tables, e.g. those storing user accounts or storages of the
file abstraction layer. Modifications need to be confirmed again by the
acting user by providing their password again - this technique is known
as “sudo mode”. This way unintended actions happening in the background
can be mitigated.

    https://extensions.typo3.org/extension/sudo_mode
    https://github.com/FriendsOfTYPO3/sudo-mode


Content Security Policy

Content Security Policies tell (modern) browsers how resources served a
particular site are handled - it is also possible to disallow script
executions for specific locations. In a TYPO3 context it is suggested to
disallow direct script execution at least for locations /fileadmin/ and
/uploads/.

# in fileadmin/.htaccess
<IfModule mod_headers.c>
    Header add Content-Security-Policy "default-src 'self'; script-src
'none';"
</IfModule>

The example above for scenarios using Apache web server denies script
execution for resources that are directly opened in a browser, e.g.
example.org/fileadmin/malicious.html.


Credits

Thanks to Matteo Bonaker who reported this issue and to TYPO3 security
team member Oliver Hader who fixed the issue.


General Advice

Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.


General Note

All security related code changes are tagged so that you can easily look
them up in our review system.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================