Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Typo3 4.5 < 4.7 - Remote Code Execution / Local File Inclusion / Remote File Inclusion

🗓️ 04 Jan 2012 00:00:00Reported by MaXeType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 108 Views

Typo3 v4.5-4.7 Remote Code Execution (RFI/LFI) - 4.5.0 up to 4.5.8, 4.6.0 and 4.6.

Code
# Exploit Title: Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)
# Date: 4th January 2012
# Author: MaXe
# Software Link: https://typo3.org/download/
# Version: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of
4.7 branch) 

 
Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)
 
 
Versions Affected: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development
releases of 4.7 branch) 

Info:
TYPO3 is a small to midsize enterprise-class Content Management Framework
offering 
the best of both worlds: out-of-the-box operation with a complete set of
standard
modules and a clean and sturdy high-performance architecture accomodating
virtually
every kind of custom solution or extension. 
 
External Links:
http://typo3.org/

Credits: Björn Pedersen and Christian Toffolo who discovered and reported
the issue and the Security Team member Helmut Hummel for providing the
patch. 
(This advisory was rewritten by MaXe @InterN0T to offer a quick overview
of the vulnerability, including the removal of all irrelevant and untrue
details.


-:: The Advisory ::-
Requirements for any RCE: 
- register_globals in the php.ini MUST be enabled (if the exploit fails
against a supposed to be vulnerable version, this is why. This setting is
often disabled by default.)

Requirements for RFI:
- allow_url_include has to be enabled (It's often "off" by default.) 


Proof of Concept: 
By browsing to a script / page, that uses the following file:
typo3/sysext/workspaces/Classes/Controller/AbstractController.php (direct
access may not be allowed)
It is possible to include PHP code to be executed via the "BACK_PATH"
global variable. This can be accessed in ways like:
AbstractController.php?BACK_PATH=LFI/RFI%00

The vulnerable piece of code: require_once($GLOBALS['BACK_PATH'] .
'template.php');
Demonstrates, that it is necessary to append a null-byte ( %00 ) after the
maliciously crafted input / URL. (Unless your remote file if applicable, is
named something.template.php)


-:: Solution ::-
* Update to the latest version of Typo3 OR change the vulnerable piece of
code to: require_once(PATH_site . TYPO3_mainDir . 'template.php');
 
 
 
References:
- http://typo3.org/fileadmin/security-team/bug32571/32571.diff
-
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/
-
http://news.typo3.org/news/article/important-security-bulletin-pre-announcement-2/

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jan 2012 00:00Current
7.4High risk
Vulners AI Score7.4
typo3remote code executionlocal file inclusionremote file inclusionsecurity advisorypatchvulnerabilityphp.inisolutionupdateworkspacesabstractcontrollernull bytereferenceversion 4.5.0version 4.5.8version 4.6.0version 4.6.1development releases
108