83%
27%
91%
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1.
CVSS 3.1 Base Score 8.3. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H).
CVSS 2.0 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P).
The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory.
print "</ul>\n";print "<li>$_</li>\n";While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as:
../../../etc/passwdThe program would generate a profile pathname like this:
/users/cwe/profiles/../../../etc/passwdWhen the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file:
/etc/passwdAs a result, the attacker could read the entire text of the password file.
Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined.
In the example below, the path to a dictionary file is read from a system property and used to initialize a File object.
File dictionaryFile = new File(filename);However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory.
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
ReadAndSendFile($filename);Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:
../../../etc/passwdwill have the first "../" stripped, resulting in:
../../etc/passwdThis value is then concatenated with the /home/user/ directory:
/home/user/../../etc/passwdwhich causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).
The following code attempts to validate a given input path by checking it against a whitelist and once validated delete the given file. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".
}f.delete()An attacker could provide an input such as this:
/safe_dir/../important.datThe software assumes that the path is valid because it starts with the "/safe_path/" sequence, but the "../" sequence will cause the program to delete the important.dat file in the parent directory
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The HTML code is the same as in the previous example with the action attribute of the form sending the upload file request to the Java servlet instead of the PHP code.
</form><input type="submit" name="submit" value="Submit"/>When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
}
{...}// the starting position of the boundary header// verify that content type is multipart form data
// output the file to the local upload directorybw.close();}bw.flush();// output successful upload response HTML page// output unsuccessful upload response HTML page...This code does not check the filename that is provided in the header, so an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.
Also, this code does not perform a check on the type of the file being uploaded. This could allow an attacker to upload any executable file or other file with malicious code (CWE-434).
The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".
</form>Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.
}// Define the target location where the picture being// uploaded is going to be saved.// Move the uploaded file to the new location.echo "The picture has been successfully uploaded.";echo "There was an error uploading the picture, please try again.";The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:
malicious.phpSince this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use:
?>system($_GET['cmd']);Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:
http://server.example.com/upload_dir/malicious.php?cmd=ls%20-lwhich runs the "ls -l" command - or any other type of command that the attacker wants to specify.
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The HTML code is the same as in the previous example with the action attribute of the form sending the upload file request to the Java servlet instead of the PHP code.
</form>When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
}
{...}
// output successful upload response HTML page
bw.close();}bw.flush();...As with the previous example this code does not perform a check on the type of the file being uploaded. This could allow an attacker to upload any executable file or other file with malicious code.
Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-22, CWE-23). Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.
This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.
...The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.
This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.
.../* board dimensions */die("No integer passed: Die evil hacker!\n");die("No integer passed: Die evil hacker!\n");die("Value too large: Die evil hacker!\n");While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.
The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage.
echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>"The programmer intended for $birthday to be in a date format and $homepage to be a valid URL. However, since the values are derived from an HTTP request, if an attacker can trick a victim into clicking a crafted URL with <script> tags providing the values for birthday and / or homepage, then the script will run on the client's browser when the web server echoes the content. Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form:
2009-01-09--If this data were used in a SQL statement, it would treat the remainder of the statement as a comment. The comment could disable other security-related logic in the statement. In this case, encoding combined with input validation would be a more useful protection mechanism.
Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used. Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible.
This function attempts to extract a pair of numbers from a user-supplied string.
}
die("Did not specify integer value. Die evil hacker!\n");/* proceed assuming n and m are initialized correctly */This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
123:then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
The following example takes a user-supplied value to allocate an array of objects and then operates on the array.
}list[0] = new Widget();die("Negative value supplied for list size, die evil hacker!");This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown.
This application has registered to handle a URL when sent an intent:
}......
}
}int length = URL.length();...The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.
If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.