-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-007 Product: TYPO3 CMS Vendor: TYPO3 Association Affected Version(s): 8.0.0 to 8.2.0, 7.6.0 to 7.6.9, 6.2.25 and below Tested Version(s): 6.2.15 Vulnerability Type: Deserialization of Untrusted Data (CWE-502) Risk Level: High Solution Status: Open Vendor Notification: 2016-01-26 Solution Date: 2016-07-19 Public Disclosure: 2016-07-19 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: A Deserialization of Untrusted Data was discovered in the TYPO3 CMS. TYPO3 is an Open Source Enterprise CMS (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: TYPO3 provides functions to export and import parts of the page tree to and from a file[2]. A custom file format (.t3d) is used to store exported data. Inside this file format, the data is stored as serialized PHP object. During the import, the serialized data is deserialized using the PHP unserialize function. As this feature is designed to work accross multiple installations, no signatures are used which could ensure the integrity and authentizity of a .t3d file. Therefore it is possible to inject arbitrary serialized objects. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using a crafted .t3d file, it is possible to trigger magic functions like __destruct(). Using a serialized object of the class TYPO3\CMS\Extensionmanager\Controller\UploadExtensionFileController, it is possible to delete arbitary files from the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to TYPO3 version 6.2.26, 7.6.10, 8.2.1 or later. The vulnerability itself still exists, however, the update restricts access to the affected feature to administrative users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-01-22: Vulnerability discovered 2016-01-26: Vulnerability reported to vendor 2016-07-19: Release TYPO3 versions 6.2.26, 7.6.10 and 8.2.1 and Release of TYPO3 Security Bulletin TYPO3-CORE-SA-2016-015 [3] 2016-07-21: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] TYPO3 CMS https://typo3.org [2] TYPO3 Import / Export https://wiki.typo3.org/Faq/copy_parts_of_a_running_TYPO3_system_to_another_server [3] TYPO3 Security Bulletin TYPO3-CORE-SA-2016-015 https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-015/ [4] SySS GmbH, SYSS-2016-036 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-036.txt [5] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This Security vulnerability was found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXjkIyAAoJENWmFJbQahTeJaUQAIvUvXeeZIN0ai1q3+O3fbIU V/ReUckSF/oierzbGvCo7iRNyTYccf/9HA94UnKDj1WXAYBDLqA4mrTEtBbd5sGY D2+qiTvvmiau9qR9NYiBoFVjjRR/u/GLSE4EtyreiPIe1vJeboKKdx0c82ETOe8u y003CqypowGy+dfkvrZx1eGo952WJnBlDbMF09IBn8g4yb+H3cG3H7SLPGObMC4J hqWjGZ1HfM7vStzjKW/TzmIB+8pe+VZOjCy5iqRk+Pd4lmUJx8JVRC8DbFeiO3bm 3Pin8XgY47GxUbb59EBuqUYKq3sxDA3bUIQ2hHrPSJe6jNtLh/nULsKpSvXkFloD 3tVouOMLhoqcA65rJIchF5OihW+2WOfsC3xJjJ3xAr43PRQSALI1u3U+SHsCF4Za 90MHM59mj0nRKTjxE75B78ujJzQ69VGiK4/irs73VxN+9e1uaxLFBaGejg3WstI+ bp8//9UEvUWPJ9weao3ptuzmga9pmMq2aaDAWzdZb6FuumrDRhf7w4CnwCFWzav1 e2ea/EVS9CH/v3vQNYn76Ma+TNQhtn/kvnVPKNXZqpewj+eRvmQ4kpx3NaYwhsqy 78s64Y9qPD8oFRkUJlk+sJNLmpXP2fUb5lf+4Gm4rUUmLhsDFDEv/kd//nPJHW/L Zrhn86yNb8s24Pwf9l8l =A1A0 -----END PGP SIGNATURE-----