Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-EF013039-89CD-11E8-84E9-00E04C1EA73D: typo3 -- multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-EF013039-89CD-11E8-84E9-00E04C1EA73D: typo3 -- multiple vulnerabilities

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
07/12/2018
Created
07/25/2018
Added
07/18/2018
Modified
07/18/2018

Description

Typo3 core team reports:

It has been discovered that TYPO3’s Salted Password system extension (which is a mandatory system component)

is vulnerable to Authentication Bypass when using hashing methods which are related by PHP class inheritance.

In standard TYPO3 core distributions stored passwords using the blowfish hashing algorithm can be overridden

when using MD5 as the default hashing algorithm by just knowing a valid username.

Per default the Portable PHP hashing algorithm (PHPass) is used which is not vulnerable.

Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact

that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored

with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way,

Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted

to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by

manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability.

In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit

has been identified so far.

Failing to properly dissociate system related configuration from user generated configuration,

the Form Framework (system extension "form") is vulnerable to SQL injection and Privilege Escalation.

Basically instructions can be persisted to a form definition file that were not configured to be modified -

this applies to definitions managed using the form editor module as well as direct file upload using the regular

file list module. A valid backend user account as well as having system extension form activated are needed

in order to exploit this vulnerability.

It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization

when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents

to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed

to exploit this vulnerability.

Solution(s)

  • freebsd-upgrade-package-typo3-7
  • freebsd-upgrade-package-typo3-8

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
  • Lightweight Endpoint Agent
  • Live Dashboards
  • Real Risk Prioritization
  • IT-Integrated Remediation Projects
  • Cloud, Virtual, and Container Assessment
  • Integrated Threat Feeds
  • Easy-to-Use RESTful API
  • Automation-Assisted Patching
  • Automated Containment
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;