lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <005801c61ce3$628b2d40$660019ac@test.irmplc.com>
Date: Thu, 19 Jan 2006 10:30:36 -0000
From: "Advisories" <advisories@...plc.com>
To: <bugtraq@...urityfocus.com>
Subject: IRM 015: File system path disclosure on TYPO3 Web Content Manager


----------------------------------------------------------------------
IRM Security Advisory No. 015

File system path disclosure on TYPO3 Web Content Manager

Vulnerablity Type / Importance: Information Leakage / Medium

Problem discovered: January 13th 2006
Vendor contacted: January 13th 2006
Advisory published: January 19th 2006
----------------------------------------------------------------------

Abstract:

TYPO3 is a free Open Source content management system for enterprise
purposes on the web and in intranets. It offers full flexibility and
extendability while featuring an accomplished set of ready-made interfaces,
functions and modules.

Description:

IRM has discovered an information leakage vulnerability in TYPO3 that
allows remote users to disclose the file system path of the application when
requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details:

The issue is due to the application failing to properly determine its own
physical path and therefore trying to 'require()' a wrong class file.

 From init.php, line 71:
define('PATH_thisScript',str_replace('//','/', str_replace('\\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

 From the PHP manual:
"You can define a constant by using the define()-function. Once a constant
is
defined, it can never be changed or undefined"

The vulnerable files listed above fail to include init.php and the
'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib',
PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values
and any 'require()' function using these constants will not work and will
disclose the file system path.


Tested Versions:

Version 3.7.1 


Vendor & Patch Information:

Contact was initially made via the TYPO3 bug reporting system on January
13th 2006. 
On January 14th a patch for the issue was published on the site 
(http://bugs.typo3.org/view.php?id=2248)


Workarounds:

IRM are not aware of any workarounds for this issue.


Credits:

Research & Advisory: Rodrigo Marcos


Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

----------------------------------------------------------------------

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ