ID OPENVAS:1361412562310804205 Type openvas Reporter Copyright (C) 2014 Greenbone Networks GmbH Modified 2018-10-12T00:00:00
Description
This host is installed with TYPO3 and is prone to multiple vulnerabilities.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_typo3_fal_mult_vuln.nasl 2014-01-06 12:50:36Z jan$
#
# TYPO3 File Abstraction Layer Multiple Vulnerabilities
#
# Authors:
# Shashi Kiran N <nskiran@secpod.com>
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:typo3:typo3";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.804205");
script_version("$Revision: 11867 $");
script_cve_id("CVE-2013-4320", "CVE-2013-4321");
script_bugtraq_id(62255, 62257);
script_tag(name:"cvss_base", value:"6.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_tag(name:"qod_type", value:"remote_banner_unreliable");
script_tag(name:"last_modification", value:"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $");
script_tag(name:"creation_date", value:"2014-01-06 12:50:36 +0530 (Mon, 06 Jan 2014)");
script_name("TYPO3 File Abstraction Layer Multiple Vulnerabilities");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to execute arbitrary code
or read sensitive information.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"An error exist in the File Abstraction Layer, which implements partial
permissions for copying, deleting, and moving files and it does not properly
handle denied file extension names that contain special characters.");
script_tag(name:"solution", value:"Upgrade to TYPO3 version 6.0.9, 6.1.4 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"summary", value:"This host is installed with TYPO3 and is prone to multiple vulnerabilities.");
script_tag(name:"affected", value:"TYPO3 version 6.0.0 to 6.0.8, 6.1.0 to 6.1.3");
script_xref(name:"URL", value:"http://secunia.com/advisories/54679/");
script_xref(name:"URL", value:"http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003");
script_category(ACT_GATHER_INFO);
script_family("Web application abuses");
script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
script_dependencies("gb_typo3_detect.nasl");
script_mandatory_keys("TYPO3/installed");
script_require_ports("Services/www", 80);
exit(0);
}
include("version_func.inc");
include("host_details.inc");
if(!typoPort = get_app_port(cpe:CPE)){
exit(0);
}
if(typoVer = get_app_version(cpe:CPE, port:typoPort))
{
if( typoVer !~ "[0-9]+\.[0-9]+\.[0-9]+" ) exit( 0 ); # Version is not exact enough
if(version_in_range(version:typoVer, test_version:"6.0.0", test_version2:"6.0.8") ||
version_in_range(version:typoVer, test_version:"6.1.0", test_version2:"6.1.3"))
{
security_message(typoPort);
exit(0);
}
}
{"id": "OPENVAS:1361412562310804205", "type": "openvas", "bulletinFamily": "scanner", "title": "TYPO3 File Abstraction Layer Multiple Vulnerabilities", "description": "This host is installed with TYPO3 and is prone to multiple vulnerabilities.", "published": "2014-01-06T00:00:00", "modified": "2018-10-12T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804205", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["http://secunia.com/advisories/54679/", "http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003"], "cvelist": ["CVE-2013-4321", "CVE-2013-4320"], "lastseen": "2019-05-29T18:37:35", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4321", "CVE-2013-4320"]}, {"type": "typo3", "idList": ["TYPO3-CORE-SA-2013-003"]}], "modified": "2019-05-29T18:37:35", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2019-05-29T18:37:35", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310804205", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_typo3_fal_mult_vuln.nasl 2014-01-06 12:50:36Z jan$\n#\n# TYPO3 File Abstraction Layer Multiple Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:typo3:typo3\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804205\");\n script_version(\"$Revision: 11867 $\");\n script_cve_id(\"CVE-2013-4320\", \"CVE-2013-4321\");\n script_bugtraq_id(62255, 62257);\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-01-06 12:50:36 +0530 (Mon, 06 Jan 2014)\");\n script_name(\"TYPO3 File Abstraction Layer Multiple Vulnerabilities\");\n\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary code\nor read sensitive information.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"An error exist in the File Abstraction Layer, which implements partial\npermissions for copying, deleting, and moving files and it does not properly\nhandle denied file extension names that contain special characters.\");\n script_tag(name:\"solution\", value:\"Upgrade to TYPO3 version 6.0.9, 6.1.4 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is installed with TYPO3 and is prone to multiple vulnerabilities.\");\n script_tag(name:\"affected\", value:\"TYPO3 version 6.0.0 to 6.0.8, 6.1.0 to 6.1.3\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/54679/\");\n script_xref(name:\"URL\", value:\"http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_typo3_detect.nasl\");\n script_mandatory_keys(\"TYPO3/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif(!typoPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(typoVer = get_app_version(cpe:CPE, port:typoPort))\n{\n if( typoVer !~ \"[0-9]+\\.[0-9]+\\.[0-9]+\" ) exit( 0 ); # Version is not exact enough\n if(version_in_range(version:typoVer, test_version:\"6.0.0\", test_version2:\"6.0.8\") ||\n version_in_range(version:typoVer, test_version:\"6.1.0\", test_version2:\"6.1.3\"))\n {\n security_message(typoPort);\n exit(0);\n }\n}\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2020-10-03T12:46:04", "description": "The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL.", "edition": 3, "cvss3": {}, "published": "2014-05-20T14:55:00", "title": "CVE-2013-4320", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4320"], "modified": "2014-05-21T13:08:00", "cpe": ["cpe:/a:typo3:typo3:6.0.2", "cpe:/a:typo3:typo3:6.0.5", "cpe:/a:typo3:typo3:6.1.1", "cpe:/a:typo3:typo3:6.0.1", "cpe:/a:typo3:typo3:6.1.3", "cpe:/a:typo3:typo3:6.1.2", "cpe:/a:typo3:typo3:6.0.8", "cpe:/a:typo3:typo3:6.0", "cpe:/a:typo3:typo3:6.0.7", "cpe:/a:typo3:typo3:6.0.4", "cpe:/a:typo3:typo3:6.0.6", "cpe:/a:typo3:typo3:6.0.3", "cpe:/a:typo3:typo3:6.1"], "id": "CVE-2013-4320", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4320", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:typo3:typo3:6.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:46:04", "description": "The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.", "edition": 3, "cvss3": {}, "published": "2014-05-20T14:55:00", "title": "CVE-2013-4321", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4321"], "modified": "2014-05-21T17:39:00", "cpe": ["cpe:/a:typo3:typo3:6.0.2", "cpe:/a:typo3:typo3:6.0.5", "cpe:/a:typo3:typo3:6.1.1", "cpe:/a:typo3:typo3:6.0.1", "cpe:/a:typo3:typo3:6.1.3", "cpe:/a:typo3:typo3:6.1.2", "cpe:/a:typo3:typo3:6.0", "cpe:/a:typo3:typo3:6.0.7", "cpe:/a:typo3:typo3:6.0.4", "cpe:/a:typo3:typo3:6.0.6", "cpe:/a:typo3:typo3:6.0.3", "cpe:/a:typo3:typo3:6.1"], "id": "CVE-2013-4321", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:typo3:typo3:6.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*"]}], "typo3": [{"lastseen": "2016-09-28T15:30:32", "bulletinFamily": "software", "cvelist": ["CVE-2013-4321", "CVE-2013-4320"], "edition": 1, "description": "It has been discovered that TYPO3 Core has Incomplete Access Management and is vulnerable to Remote Code Execution\n\n**Component Type:** TYPO3 Core\n\n**Vulnerability Types:** Cross-Site Scripting, Remote Code Execution\n\n**Overall Severity:** Critical\n\n**Release Date:** September 4, 2013\n\n## \n\n## Vulnerable subcomponent: File handling / File Abstraction Layer\n\n**Vulnerability Type:** Incomplete Access Management\n\n**Affected Versions:** All versions from 6.0.0 up to the development branch of 6.2\n\n**Severity:** Medium\n\n**Suggested CVSS v2.0:** [AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C](<http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?vector=%28AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:O/RC:C%29&g=3&lang=en> \"CVSS calculator\" ) ([What's that?](<http://buzz.typo3.org/teams/security/article/use-of-common-vulnerability-scoring-system-in-typo3-security-advisories/> \"Blog post on CVSS usage\" ))\n\n**CVE:** CVE-2013-4320\n\n**Problem Description: **TYPO3 comes with the possibility to restrict editors to certain file actions (copy, delete, move etc.) and to restrict these actions to be performed in certain locations (file mounts). This permission handling was only partly implemented with the introduction of the File Abstraction Layer (FAL). The file action permissions that can be set in backend user and group records were not respected and users could break out of file mounts by crafting URLs. Thus, unprivileged users could create or read arbitrary files within or outside the document root.\n\n**Solution:** Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version! **It is important to clear all caches **(clear cache all in the backend or deleting the complete typo3temp/Cache directory) **for the changes to take effect **after the TYPO3 source files have been updated!\n\n**Notes:** Administrators are advised to set file permissions for backend users or groups by using user TS Config instead of using the file permission check boxes in the user or group records. This allows more fine grained control for single file action permissions.\n\n**Example for setting default permissions for users or groups in User TSConfig:**\n \n \n permissions.file.default { \n addFile = 0 \n readFile = 1 \n writeFile = 1 \n copyFile = 1 \n moveFile = 1 \n renameFile = 0 \n unzipFile = 0 \n deleteFile = 0 \n addFolder = 1 \n readFolder = 1 \n writeFolder = 1 \n copyFolder = 1 \n moveFolder = 0 \n renameFolder = 0 \n deleteFolder = 1 \n recursivedeleteFolder = 1 \n } \n\n**Example setting permissions for storage with ID 1 (overriding default settings):**\n \n \n permissions.file.storage.1 { \n addFile = 1 \n readFile = 1 \n writeFile = 1 \n copyFile = 1 \n moveFile = 1 \n renameFile = 0 \n unzipFile = 0 \n deleteFile = 0 \n addFolder = 1 \n readFolder = 1 \n writeFolder = 1 \n copyFolder = 1 \n moveFolder = 0 \n renameFolder = 0 \n deleteFolder = 1 \n recursivedeleteFolder = 1 \n } \n\n**Credits:** Credits go to Sebastian Nerz who discovered and reported the issues, Steffen Ritter and Helmut Hummel for creating the fixes and Anja Leichsenring, Susanne Moog, Michiel Roos, Sascha Egerer and Ernesto Baschny for testing.\n\n## \n\n## Vulnerable subcomponent: File Abstraction Layer\n\n**Vulnerability Type:** Remote Code Execution\n\n**Affected Versions:** All versions from 6.0.0 up to the development branch of 6.2\n\n**Severity:** Critical\n\n**Suggested CVSS v2.0:** [AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C](<http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/cvss2.cgi?vector=%28AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:O/RC:C%29&g=3&lang=en> \"CVSS calculator\" ) ([What's that?](<http://buzz.typo3.org/teams/security/article/use-of-common-vulnerability-scoring-system-in-typo3-security-advisories/> \"Blog post on CVSS usage\" ))\n\n**CVE:** CVE-2013-4321\n\n**Problem Description:** The check for denied file extensions implemented in the File Abstraction Layer as mentioned in advisory TYPO3-CORE-SA-2013-002 was incomplete. It was still possible for editors to rename files to have denied file extensions by inserting special characters that were removed at a later point. This (again) allowed authenticated editors to forge php files with arbitrary code, which can then be executed in web server's context.\n\n**Solution:** Update to the TYPO3 version 6.0.9, 6.1.4 or the latest development version!\n\n**Credits:** Credits go to Sascha Egerer who discovered and reported the issue. \n\n**General Advice:** Follow the recommendations that are given in the [TYPO3 Security Guide](<http://docs.typo3.org/typo3cms/SecurityGuide/> \"Opens external link in new window\" ). Please subscribe to the [typo3-announce](<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce>) mailing list.\n", "modified": "2013-09-04T00:00:00", "published": "2013-09-04T00:00:00", "id": "TYPO3-CORE-SA-2013-003", "href": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/", "type": "typo3", "title": "Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
