==================================================================== CERT-Renater Note d'Information No. 2020/VULN628 _____________________________________________________________________ DATE : 20/11/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Install Tool component for TYPO3, File Upload Handling component for TYPO3. ===================================================================== https://typo3.org/security/advisory/typo3-psa-2020-002 https://typo3.org/security/advisory/typo3-psa-2020-003 _____________________________________________________________________ Tue. 17th November, 2020 TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode Categories: Development, TYPO3 CMS Created by Oliver Hader Accessing Install Tool via TYPO3 Backend requires password verification - known as Sudo Mode. Component Type: TYPO3 CMS Subcomponent: Install Tool (ext:install) Release Date: November 17, 2020 Affected Versions: 9.0.0-9.5.22, 10.0.0-10.4.9 Problem Description When the system maintainer concept was introduced with TYPO3 v9.0.0 the necessity of having to enter a password when accessing the Install Tool via backend user interface was removed. However, the Install Tool allows one to define various configurations as well as arguments and paths for low-level binary applications to take care of further processing. Per definition, all of these actions and features qualify as “remote code execution”. There is no problem when those are used by valid system maintainers - however, it also could be used as a valid attack vector in case user sessions have been hijacked by other vulnerabilities in any software component on the same server - such as cross-site scripting or SQL injection. Solution The ideal solution would be to omit the presence of the Install Tool component on a website in production - which is however not feasible for all environments. Thus, protecting the entry point is currently the best way to mitigate unintentional access to the Install Tool via the backend user interface. Users now have to enter either their user password or the “Install Tool password” to get corresponding access. This mechanism is known as Sudo Mode. It is suggested to update to TYPO3 versions 9.5.23 or 10.4.10 that mitigate the problem described by introducing Sudo Mode for accessing the Install Tool via the backend user interface. Maintainers of extensions that provide remote, single sign-on, or multi-factor authentication are advised to check technical details and potential implications for their extensions. This change is enforcing the suggestions of TYPO3-CORE-SA-2020-006. Credits Thanks to Sinan Sekerci (Dreamlab Technologies) who brought this topic again to our attention and to TYPO3 security team member Oliver Hader who introduced Sudo Mode to mitigate the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. _____________________________________________________________________ Tue. 17th November, 2020 TYPO3-PSA-2020-003: Mitigation of Cross-Site Scripting Vulnerabilities in File Upload Handling Categories: Development, TYPO3 CMS Created by Oliver Hader Repeating and refining public service announcement TYPO3-PSA-2019-010. Component Type: TYPO3 CMS Subcomponent: File Upload Handling (ext:filelist) Release Date: November 17, 2020 Affected Versions: all Problem Description According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts (e.g. fileadmin/ in most cases). This also includes the possibility to upload potential malicious code in HTML or SVG files (using JavaScript, injecting cross-site scripting vulnerabilities). Custom applications might allow uploading SVG files among other image file formats in user profile avatars - just to give another example of a potential attack vector. Per definition, this allows attackers to introduce cross-site scripting vulnerabilities. This announcement is repeating TYPO3-PSA-2019-010. Solution To mitigate these potential scenarios it is advised to deny uploading files as described in TYPO3-PSA-2019-010 - which might be impractical for some sites. Alternative mitigation strategies are explained below. Mitigation TYPO3 versions 9.5.23 and 10.4.10 are shipped with a new security check verifying basic Content Security Policy headers (see below) for resources in fileadmin/. Since TYPO3 allows to create and compose custom applications the following mitigation strategies should be considered individually on websites in production. Content Security Policy HTTP header Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware. It is advised to add content security policy headers for public accessible directories - basically all base directories of file storages (sys_file_storage). The following example shows the contents of a file to be located at fileadmin/.htaccess when using Apache 2.x web servers - it has to be duplicated for any other custom file storage location. Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" This way scripts in HTML or SVG files are not executed anymore in modern browsers that support Content Security Policies. Update November 18 th, 2020 The CSP rules shown above are strict. We received reports that serving PDF files via fileadmin/ is blocked in some browsers as well. We're investigating in potential alternatives. svg-sanitizer extension To sanitize (and remove malicious cross-site scripting code) from user-submitted SVG files, it is suggested to make use of 3rd party extension svg_sanitizer (composer package t3g/svg-sanitizer). https://extensions.typo3.org/extension/svg_sanitizer/ https://packagist.org/packages/t3g/svg-sanitizer This way SVG contents that are embedded in application markup (inline SVG) cannot execute scripts anymore. Credits Thanks to Sinan Sekerci (Dreamlab Technologies) who brought this topic again to our attention. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================