==================================================================== CERT-Renater Note d'Information No. 2021/VULN163 _____________________________________________________________________ DATE : 16/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running TYPO3-CORE versions prior to 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1. ===================================================================== https://typo3.org/security/advisory/typo3-core-sa-2021-001 https://typo3.org/security/advisory/typo3-core-sa-2021-002 https://typo3.org/security/advisory/typo3-core-sa-2021-003 https://typo3.org/security/advisory/typo3-core-sa-2021-004 https://typo3.org/security/advisory/typo3-core-sa-2021-005 https://typo3.org/security/advisory/typo3-core-sa-2021-006 https://typo3.org/security/advisory/typo3-core-sa-2021-007 https://typo3.org/security/advisory/typo3-core-sa-2021-008 _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-001: Open Redirection in Login Handling Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to open redirection. Component Type: TYPO3 CMS Subcomponent: Login Handling (ext:core) Release Date: March 16, 2021 Vulnerability Type: Open Redirection Affected Versions: 6.2.0-6.2.56, 7.0.0-7.6.50, 8.0.0-8.7.39, 9.0.0-9.5.24, 10.0.0-10.4.13, 11.0.0-11.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:F/RL:O/RC:C References: CVE-2021-21338, CWE-601 Problem Description It has been discovered that Login Handling is susceptible to open redirection which allows attackers redirecting to arbitrary content, and conducting phishing attacks. No authentication is required in order to exploit this vulnerability. Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Credits Thanks to Alexander Kellner on behalf of Bayerische Staatsbibliothek who reported this issue and to TYPO3 security team member Torben Hansen who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-002: Unrestricted File Upload in Form Framework Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to unrestricted file upload. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: March 16, 2021 Vulnerability Type: Unrestricted File Upload Affected Versions: 8.0.0-8.7.39, 9.0.0-9.5.24, 10.0.0-10.4.13, 11.0.0-11.1.0 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C References: CVE-2021-21355, CWE-434, CWE-552 Problem Description Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom TypeConverter to transform uploaded files into FileReference domain model objects are affected by the vulnerability as well, since the UploadedFileReferenceConverter of ext:form handles the file upload and will accept files of any mime-type which are persisted to the default location. In any way, uploaded files are placed in the default location /fileadmin/user_upload/, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Type converter UploadedFileReferenceConverter is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from /fileadmin /user_upload/ to /fileadmin/user_upload/form_/. Allowed mime-types must match expected file extensions (e.g. application/pdf must be .pdf, and cannot be .html). Extbase extensions, who rely on the global availability of the UploadedFileReferenceConverter must now implement a custom TypeConverter to handle file uploads or explicitly implement the ext:form UploadedFileReferenceConverter with appropriate setting for accepted mime-types. Credits Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-003: Broken Access Control in Form Framework Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to broken access control. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: March 16, 2021 Vulnerability Type: Broken Access Control Affected Versions: 8.0.0-8.7.39, 9.0.0-9.5.24, 10.0.0-10.4.13, 11.0.0-11.1.0 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:H/RL:O/RC:C References: CVE-2021-21357, CWE-20, CWE-22, CWE-434 Problem Description Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Credits Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-004: Cross-Site Scripting in Form Framework Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is vulnerable to cross-site scripting. Component Type: TYPO3 CMS Subcomponent: Form Framework (ext:form) Release Date: March 16, 2021 Vulnerability Type: Cross-Site Scripting Affected Versions: 10.2.0-10.4.13, 11.0.0-11.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C References: CVE-2021-21358, CWE-79 Problem Description It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. Solution Update to TYPO3 versions 10.4.14 or 11.1.1 that fix the problem described. Credits Thanks to Richie Lee who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-005: Denial of Service in Page Error Handling Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to denial of service. Component Type: TYPO3 CMS Subcomponent: Page Error Handling (ext:core, ext:frontend) Release Date: March 16, 2021 Vulnerability Type: Denial of Service Affected Versions: 9.0.0-9.5.24, 10.0.0-10.4.13, 11.0.0-11.1.0 Severity: Medium Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C References: CVE-2021-21359, CWE-405, CWE-674 Problem Description Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Solution Update to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Credits Thanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank Nägler and to TYPO3 security team member Torben Hansen who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ Tue. 16th March, 2021 TYPO3-CORE-SA-2021-006: Cleartext storage of session identifier Categories: Development, TYPO3 CMS Created by Oliver Hader It has been discovered that TYPO3 CMS is susceptible to sensitive data exposure. Component Type: TYPO3 CMS Subcomponent: Session Storage (ext:core) Release Date: March 16, 2021 Vulnerability Type: Sensitive Data Exposure Affected Versions: 6.2.0-6.2.56, 7.0.0-7.6.50, 8.0.0-8.7.39, 9.0.0-9.5.24, 10.0.0-10.4.13, 11.0.0-11.1.0 Severity: High Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C References: CVE-2021-21339, CWE-312 Problem Description User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Solution Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Credits Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue. General Advice Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list. General Note All security related code changes are tagged so that you can easily look them up in our review system. _____________________________________________________________________ _____________________________________________________________________ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================