TYPO3 Session Expiration Vulnerability (TYPO3-CORE-SA-2022-005)

# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:typo3:typo3";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.148273");
  script_version("2023-04-05T10:19:45+0000");
  script_tag(name:"last_modification", value:"2023-04-05 10:19:45 +0000 (Wed, 05 Apr 2023)");
  script_tag(name:"creation_date", value:"2022-06-15 04:35:02 +0000 (Wed, 15 Jun 2022)");
  script_tag(name:"cvss_base", value:"6.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-06-23 13:24:00 +0000 (Thu, 23 Jun 2022)");

  script_cve_id("CVE-2022-31050");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("TYPO3 Session Expiration Vulnerability (TYPO3-CORE-SA-2022-005)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_typo3_http_detect.nasl");
  script_mandatory_keys("typo3/detected");

  script_tag(name:"summary", value:"TYPO3 is prone to an insufficient session expiration
  vulnerability in the admin tool.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Admin Tool sessions initiated via the TYPO3 backend user
  interface have not been revoked even if the corresponding user account was degraded to lower
  permissions or disabled completely. This way, sessions in the admin tool theoretically could have
  been prolonged without any limit.");

  script_tag(name:"affected", value:"TYPO3 version 9.0.0 through 9.5.34 ELTS, 10.0.0 through
  10.4.28 and 11.0.0 through 11.5.10.");

  script_tag(name:"solution", value:"Update to version 9.5.35 ELTS, 10.4.29, 11.5.11 or later.");

  script_xref(name:"URL", value:"https://typo3.org/security/advisory/typo3-core-sa-2022-005");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE, version_regex: "[0-9]+\.[0-9]+\.[0-9]+")) # nb: Version might not be exact enough
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range_exclusive(version: version, test_version_lo: "9.0", test_version_up: "9.5.35")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "9.5.35", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "10.0", test_version_up: "10.4.29")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "10.4.29", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "11.0", test_version_up: "11.5.11")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "11.5.11", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);