Typo3 JobControl 2.14.0 Cross Site Scripting / SQL Injection

2014-09-26T00:00:00
ID PACKETSTORM:128446
Type packetstorm
Reporter Hans-Martin Muench
Modified 2014-09-26T00:00:00

Description

                                        
                                            `Mogwai Security Advisory MSA-2014-02  
----------------------------------------------------------------------  
Title: JobControl (dmmjobcontrol) Multiple Vulnerabilities  
Product: dmmjobcontrol (Typo3 Extension)  
Affected versions: 2.14.0  
Impact: high  
Remote: yes  
Product link: http://typo3.org/extensions/repository/view/dmmjobcontrol  
Reported: 05/09/2014  
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)  
  
  
Vendor's Description of the Software:  
----------------------------------------------------------------------  
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs  
("vacancies") on your website. It provides a list- and detail view and  
the ability to search and apply for jobs. It can even make RSS feeds of  
your joblist.  
  
It works with html templates so it's easy to configure how the extension  
will look for your site. The list can be shown as a "paginated list",  
including a page-browser. The extension itself is multi-lingual, at this  
moment English, Danish, Polish, German, Russian and Dutch are included.  
The best feature however is that multi-lingual jobs are fully supported  
too, so you can provide a translation for a job if you have a multi-lingual  
site.  
  
JobControl uses MM-relation tables for regions, branches, sectors etc.  
This means that for every new site, you can make a new list of branches to  
use. They are not hardcoded and don't require any TypoScript to set up.  
  
JobControl is very easy to set up, with good default templates that can  
be styled to your needs using css stylesheets. It's very powerful and  
flexible too with lots of configuration options for advanced users.  
  
  
Business recommendation:  
----------------------------------------------------------------------  
According to the Typo3 Security Team the extension maintainer does not  
maintain the extension any longer and thus, is not providing an update.  
  
Exploitation can be prevented with the workaround below. However, the  
extension should be replaced with a maintained alternative.  
  
Vulnerability description:  
----------------------------------------------------------------------  
1) Unauthenticated Blind SQL Injection  
dmmjobcontrol provides a search function for the job database. Several  
input fields (for example education, region, sector) are used without  
proper sanitization to create the SELECT statement of the search query.  
  
2) Reflected Cross Site Scripting (XSS)  
The value of the "keyword" parameter is used without any sanitization  
to create the html response of the search request. This can be abused  
to inject malicious HTML/JavaScript code into the HTML response.  
  
  
Proof of concept:  
----------------------------------------------------------------------  
1) Unauthenticated Blind SQL Injection  
The following PoC shows blind based SQL injection on the sector parameter, other  
parameters are also vulnerable  
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20  
  
2) Reflected Cross Site Scripting (XSS)  
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D=">  
  
Vulnerable / tested versions:  
----------------------------------------------------------------------  
dmmjobcontrol 2.14.0  
  
  
Disclosure timeline:  
----------------------------------------------------------------------  
05/09/2014: Reporting to the Typo3 Security team  
05/09/2014: Response from Typo3 Security team that they received the mail  
24/09/2014: Mail to Typo3 Security team, asking for the current status  
25/09/2014: Response from Typo3 Security Team that they released an advisory[1]  
25/09/2014: Release of public advisory  
  
  
Workaround (use on your own responsiblity):  
----------------------------------------------------------------------  
In the file:  
typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php  
  
To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the  
following PHP code:  
$markerArray['###KEYWORD_VALUE###'] =  
htmlspecialchars($session['search']['keyword'], ENT_QUOTES);  
  
To fix the SQL Injection vulnerability, replace line 257 with the following  
PHP code:  
$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND  
('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=',  
intval($value)).')';  
  
  
References:  
----------------------------------------------------------------------  
[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl  
(dmmjobcontrol)  
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012  
  
Advisory URL:  
----------------------------------------------------------------------  
https://www.mogwaisecurity.de/#lab  
  
  
----------------------------------------------------------------------  
Mogwai, IT-Sicherheitsberatung Muench  
Steinhoevelstrasse 2/2  
89075 Ulm (Germany)  
  
Tel. +49 731 205 89 0  
Fax +49 731 205 89 29  
info@mogwaisecurity.de  
  
  
`