Sep. 19., 2008

Security issue in TYPO3 Extension Secure Directory (kw_secdir)

By Steffen Müller. Licensed under the Creative Commons License

Today, the TYPO3 security team released a collective security bulletin. Since I am the author of one extension which was listed in the bulletin (kw_secdir), I'd like to comment this a little bit. Especially the severity of "high" sounds evil, but it's IMHO less dangerous than some might think.

The extension was mentioned in the Collective Security Bulletin TYPO3-20080919-1, which was released today, September 19, 2008.

Details about the issue:

I got a mail on June 30, 2008 from the security team about the extension. It allows BE users to enter username, password and hosts in the filelist module. The problem here was, that the host parameter was "not properly sanitized, making it possible to add arbitrary code lines to a htaccess file", the security team wrote. An example how to insert malicious values was appended:

POC: all%0DAddType application/x-httpd-php .txt

This could lead to arbitrary code execution, because user were then able to upload executable PHP code in the filelist module (under certain conditions, see below).

Description of the patch:

I added a routine to compare the input field against a whitelist of characters to prevent injection of control characters.

A fixed version was released on July 8, 2008. So far the technical facts.

Criticism:

What I do not understand, is the bulletin severity of HIGH:

The vulnerability only affects systems with unsafe Apache configuration, namely the infamous AllowOverride All for .htaccess context. It is even mentioned in the extension manual not to use that, because it opens doors for security holes. So no excuse if someone didn't give a f*** about this and was hit by the issue.

Also, why did the security team wait more than two month to release a bulletin earlier, if the severity is so high?

Please don't get me wrong. The issue was there and some user may have been affected. But there was no description at all in the bulletin, and I wanted to cast a light on this.

--> Back to the list of articles

License

Licensed under creative commonsThis article is licensed under the Creative Commons License CC BY-SA 3.0. You are free to share (copy, distribute and transmit) and to remix (to adapt) the work under the following conditions:

  • You must attribute the work by mentioning the name of the author (Steffen Müller) and setting a link back to the original article using its URL.
  • If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Comments

Leave a comment:

This page uses static caches. Make sure you reload the page in your browser after posting a comment.

(will not be published)

CAPTCHA image for SPAM prevention Click here for audio version of the word to enter.

If you can't read the captcha word, please click to load a new image.
(You need Javascript turned on. Otherwise press the submit button and wait until the page has reloaded.)