====================================================================
CERT-Renater
Note d'Information No. 2020/VULN627
_____________________________________________________________________
DATE : 20/11/2020
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running TYPO3 CMS versions prior to
10.4.10, 9.5.23, 8.7.38 ELTS, 7.6.48 ELTS, 6.2.54 ELTS.
=====================================================================
https://typo3.org/security/advisory/typo3-core-sa-2020-009
https://typo3.org/security/advisory/typo3-core-sa-2020-010
https://typo3.org/security/advisory/typo3-core-sa-2020-011/
https://typo3.org/security/advisory/typo3-core-sa-2020-012/
_____________________________________________________________________
Tue. 17th November, 2020
TYPO3-CORE-SA-2020-009: Cross-Site Scripting through Fluid view helper
arguments
Categories: Development, TYPO3 CMS Created by Claus Due
It has been discovered that the Fluid Engine is vulnerable to cross-site
scripting.
Component Type: TYPO3 CMS
Subcomponent: Fluid Engine (package typo3fluid/fluid)
Release Date: November 17, 2020
Vulnerability Type: Cross-Site Scripting
Affected Versions: 10.0.0-10.4.9, 9.0.0-9.5.22, 8.7.0-8.7.37 ELTS,
7.6.0-7.6.47 ELTS, 6.2.0-6.2.53 ELTS
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
References: CVE-2020-26216, CWE-79
Problem Description
Three XSS vulnerabilities have been detected in Fluid:
TagBasedViewHelper allowed XSS through maliciously crafted
additionalAttributes arrays by creating keys with attribute-closing
quotes followed by HTML. When rendering such attributes, TagBuilder
would not escape the keys.
ViewHelpers which used the CompileWithContentArgumentAndRenderStatic
trait, and which declared escapeOutput = false, would receive the
content argument in unescaped format.
Subclasses of AbstractConditionViewHelper would receive the then and
else arguments in unescaped format.
Solution
Update to TYPO3 version 10.4.10, 9.5.23, 8.7.38 ELTS, 7.6.48 ELTS or
6.2.54 ELTS that fix the problem described.
Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10
of the underlying standalone typo3fluid/fluid package.
Updated versions of this package are bundled in following TYPO3
(typo3/cms-core) releases:
TYPO3 v9.5.23 (using typo3fluid/fluid v2.6.10)
TYPO3 v10.4.5 (using typo3fluid/fluid v2.6.10)
The specific vulnerabilities are prevented by:
Explicitly escaping keys found in the additionalAttributes array
passed to a TagBasedViewHelper before using them as attribute names.
Detecting "content argument" on ViewHelpers using the trait
CompileWithContentArgumentAndRenderStatic and escaping it based on the
state of escapeChildren when escapeOutput is toggled off. Escaping still
will not occur if explicitly disabled by an enclosing ViewHelper. This
homogenises escaping behavior of "content arguments" so the same
strategy is used whether the "content" argument is passed as argument or
child content.
Explicitly defining the then and else arguments on
AbstractConditionViewHelper subclasses as escaped and applying escaping
in all cases where escaping is not explicitly disabled by an enclosing
ViewHelper.
Affected Cases
The fix for TagBasedViewHelper does not affect any valid use cases;
it only prevents use of maliciously crafted attribute/value arrays
passed as additionalAttributes.
Any case where a ViewHelper with a "content argument" and which
defines escapeOutput = false is used with the content argument instead
of passing variables as child node - e.g.
instead of {variable} to intentionally circumvent escaping of
any HTML in {variable}.
Any case where a condition ViewHelper is used with then or else
arguments to render a variable containing HTML, excluding cases where
the variable is intentionally unescaped - e.g. , and excluding any cases where a
ViewHelper is used as argument value and the ViewHelper intentionally
disables escaping - e.g. does not escape the then argument because f:render
disables output escaping.
Cases 2 and 3 can be mitigated to allow variables with HTML to not be
escaped, by intentionally disabling escaping by chaining the variable
used in the argument with f:format.raw as described in case 3. Note that
this constitutes a potential security issue, for which the template
author is solely responsible.
Example: can
allow HTML in {intentionalHtmlVariable} by adding -> f:format.raw() - to
become . Variables containing HTML should only be allowed
after taking great care to prevent XSS through other means, e.g.
sanitising the variable before it is assigned to Fluid or only allowing
such variables to come from trusted sources.
Custom ViewHelpers which use CompileWithContentArgumentAndRenderStatic
can alternatively pass a 6th argument with value false to the call to
registerArgument which registers the "content argument", which
explicitly disables escaping of the argument value:
$this->registerArgument('arg', 'string', 'My argument', false, null,
false);. Note that this constitutes a potential security issue for which
the ViewHelper author is solely responsible.
Credits
Thanks to Jonas Eberle and Sinan Sekerci (Dreamlab Technologies) who
reported this issue and to TYPO3 core merger Claus Due who fixed the
issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th November, 2020
TYPO3-CORE-SA-2020-010: Cross-Site Scripting in Fluid view helpers
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is vulnerable to cross-site
scripting..
Component Type: TYPO3 CMS
Subcomponent: Fluid (ext:fluid)
Release Date: November 17, 2020
Vulnerability Type: Cross-Site Scripting
Affected Versions: 10.0.0-10.4.9, 9.0.0-9.5.22, 8.7.0-8.7.37 ELTS,
7.6.0-7.6.47 ELTS, 6.2.0-6.2.53 ELTS
Severity: Medium
Suggested CVSS:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
References: CVE-2020-26227, CWE-79
Problem Description
It has been discovered that system extension Fluid (typo3/cms-fluid) of
the TYPO3 core is vulnerable to cross-site scripting passing
user-controlled data as argument to Fluid view helpers.
Solution
Update to TYPO3 versions 10.4.10, 9.5.23, 8.7.38 ELTS, 7.6.48 ELTS or
6.2.54 ELTS ELTS that fix the problem described.
Credits
Thanks to TYPO3 security team member Oliver Hader who reported this
issue and to TYPO3 security team members Helmut Hummel & Oliver Hader
who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th November, 2020
TYPO3-CORE-SA-2020-011: Cleartext storage of session identifier
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to sensitive data
exposure.
Component Type: TYPO3 CMS
Subcomponent: Session Storage (ext:core)
Release Date: November 17, 2020
Vulnerability Type: Sensitive Data Exposure
Affected Versions: 10.0.0-10.4.9, 9.0.0-9.5.22, 8.7.0-8.7.37 ELTS,
7.6.0-7.6.47 ELTS, 6.2.0-6.2.53 ELTS
Severity: High
Suggested CVSS:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
References: CVE-2020-26228, CWE-312
Problem Description
User session identifiers were stored in cleartext - without processing
of additional cryptographic hashing algorithms. This vulnerability
cannot be exploited directly and occurs in combination with a chained
attack - like for instance SQL injection in any other component of the
system.
Solution
Update to TYPO3 versions 10.4.10, 9.5.23, 8.7.38 ELTS, 7.6.48 ELTS or
6.2.54 ELTS that fix the problem described.
Credits
Thanks to TYPO3 security team member Helmut Hummel who reported this
issue and to TYPO3 core & security team members Benni Mack & Oliver
Hader as well as TYPO3 contributor Markus Klein who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
_____________________________________________________________________
Tue. 17th November, 2020
TYPO3-CORE-SA-2020-012: XML External Entity in Dashboard Widget
Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to XML external
entity processing.
Component Type: TYPO3 CMS
Subcomponent: Dashboard (ext:dashboard)
Release Date: November 17, 2020
Vulnerability Type: XML External Entity
Affected Versions: 10.4.0-10.4.9
Severity: Low
Suggested CVSS:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:R
References: CVE-2020-26229, CWE-611
Problem Description
It has been discovered that RSS widgets are susceptible to XML external
entity processing.
This vulnerability is reasonable, but is theoretical - it was not
possible to actually reproduce the vulnerability with current PHP
versions of supported and maintained system distributions.
At least with libxml2 version 2.9, the processing of XML external
entities is disabled per default - and cannot be exploited. Besides
that, a valid backend user account is needed.
Solution
Update to TYPO3 version 10.4.10 that fixes the problem described.
Credits
Thanks to Victoria Lee who reported this issue and to TYPO3 security
team member Oliver Hader who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide.
Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look
them up in our review system.
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================