lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Dec 2006 14:04:15 +0100
From: "SEC Consult Research" <>
To: <>, <>
Subject: SEC Consult SA-20061220-0 :: Typo3 Command
	Execution Vulnerability

SEC-CONSULT Security Advisory < 20061220-0>
                  title: Remote Command Execution in Typo3
                program: Typo3 Content Management System
     vulnerable version: 4.0.0 - 4.0.3
                         3.7 and 3.8 with rtehtmlarea extension
                 impact: critical
                  found: 2006-11-21
                     by: D. Fabian / SEC-CONSULT /
                         J. Greil  / SEC-CONSULT /
         permanent link:

vendor description:

TYPO3 is a free Open Source content management system for enterprise 
purposes on the web and in intranets. It offers full flexibility and 
extendability while featuring an accomplished set of ready-made 
interfaces, functions and modules.


vulnerability overview:

In version 4.0 and above, Typo3 includes a sysext named rtehtmlarea.
The extension can optionally also be installed on Typo3 versions below
4.0. This RTE HTML Editor allows spell checking, for which it uses the
command line tool 'aspell'.

When this program is called, unvalidated user input is used as argument 
to the system call. Login to the backend is /not/ required to exploit 
this vulnerability. 

This allows an attacker to execute arbitrary commands on the target

vulnerability details:

The affected script resides in /typo3/sysext/rtehtmlarea/htmlarea/
plugins/SpellChecker/spell-check-logic.php which calls the vulnerable
script /typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php.
It requires a GET parameter id with the pageid of an existing page.
When the POST parameter cmd is set to learn, the parameter userUid is
not validated and can be used by an attacker to inject code.

Here is the vulnerable code (line 208):
--- code ---
$AspellCommand = 'cat ' . $tmpFileName . ' | ' . $this->AspellDirectory
 . ' -a --mode=none' . $this->personalDictsArg . ' --lang=' .
 $this->dictionary . ' --encoding=' . $this->parserCharset . ' 2>&1';
print $AspellCommand . "\n";
print shell_exec($AspellCommand);
--- /code ---

There seems to be a second command execution vulnerability in the same
file in line 365. It is left as a task to the reader to exploit that

For typo3 versions < 4.0, the rtehtmlarea extension is probably located
at /typo3/ext.

proof of concept:

Here is a sample POST request that writes a file 'shell.txt' into /tmp:

--- post request ---
POST /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-
check-logic.php?id=1 HTTP/1.1
User-Agent: none
Content-Type: application/x-www-form-urlencoded
Content-Length: 111

--- /post request ---

vulnerable versions:

Versions 4.0 - 4.0.3 as well as 4.1beta seem to be vulnerable to the 
described attack. Also vulnerable are versions 3.7 and 3.8 if the 
rtehtmlarea extension is installed.
The issue has been resolved in version 4.0.4.

vendor status:
vendor notified: 2006-12-07
vendor response: 2006-12-07
patch available: 2006-12-20
coordinated disclosure: 2006-12-20

SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com 

EOF Daniel Fabian / @2006

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists