-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-008 Product: TYPO3 CMS Vendor: TYPO3 Association Affected Version(s): 7.6.2 and below Tested Version(s): 6.2.15 Vulnerability Type: Protection Mechanism Failure (CWE-693) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2016-01-26 Solution Date: 2016-02-16 Public Disclosure: 2016-02-16 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The TYPO3 extension manager does not provide an authenticity check for extensions. TYPO3 is an Open Source Enterprise CMS (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The TYPO3 extension manager can be used to install extensions from the TYPO3 Extension Repository (TER). During the installation of an extension, the program files are fetched from a remote server using an unencrypted HTTP connection. The integrity of the downloaded file is check by comparing the MD5 sum of the downloaded binary against the extension list. However, the extension list gets also downloaded via an unencrypted HTTP connection and can therefore not be used to guarantee authenticity of the downloaded code. An attacker in man in the middle position could abuse this behaviour to inject arbitrary code into downloaded extensions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): * Configure TYPO3 to use an intercepting proxy to simulate MitM-attacker. * Go to Extension Manager and choose "GetExtensions". * Press "Update Now". * Manipulate response from http://typo3.org/fileadmin/ter/extensions.md5 (forces update of extension list). * Manipulate response from http://typo3.org/fileadmin/ter/extensions.xml.gz to inject md5sum of a manipulated extension (e.g. "nothing") (md5sum of .gz file has to match manipulated value set in the previous step). * Search for the manipulated extension * Trigger installation of the manipulated extension * Manipulate response from http://typo3.org/fileadmin/ter/n/o/_.t3x and replace content with custom extension. * Extension will be installed without warning. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to TYPO3 version 6.2.17, 7.6.3 or above ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-01-22: Vulnerability discovered 2016-01-26: Vulnerability reported to vendor 2016-02-16: Release of the TYPO3 version 6.2.17 and 7.6.3 2016-02-16: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] TYPO3 CMS https://typo3.org [2] SySS Security Advisory SYSS-2016-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-008.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This Security vulnerability was found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWwti5AAoJENWmFJbQahTe4NwP/08+DLG3rRQ/JQsVhkLnsipg 2BmAFtBStkwhBUdo38BwKIz2QNK5BG5fDiH8nL6+oz7Uo54mtkwyzZgGbSFYq5c1 sGpM043P75mKt7/8YzsjnujoXfB1vLs2pdcFoeYU+fFej+j7LjQWEw8buEpU0PXB akZbRba374yC9XZZY85YhLpLCMoUHJ5q1Fkqs/w8HFnfpmXmw0SxoWGMZ6TL7Bbp UUffc1bzEK8e2iB1UNXxfabo6o6hneNsJ+cj4hky4xIbFWI1t6kiPKVyZ5bBx8OU 4AOXrqm+nVnO33+SQs1H/VqJFEDzL1nZvvX3gcb9PpP8OzgVNWRbfLqTH2LogTi4 VNi4PfswOnKXmpnizj9U3D/Vl9nZtvPnv0hwVk6YKOg6uhcqGWaTU6H6jeWzvNjt UyE3q5lz2lx7X8VyDXFmq1xmRhfUo5D9m4w7paN+0pKh/1V//cESZEGzKC+lv1fM OKBdDotiKzsuxSEhryXI0nisu7hyMISeojfp5g8JUVLG+2NR0NpRJZz86ZTQpu7P AcuDaJZw4/boQ9S23xIpHI90X6rvGR2RhAGn/qJYm0Vx7hlbnl/JIKyYNGTIgi4U DakCVsercfqItyf3pucGsOLeu3HcQrkUT6ecsulwkionfoKKew4lDTcMkRhJltEd NIU4UyoLDussUkcdv9IO =bGm/ -----END PGP SIGNATURE-----