lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5360AAB7.9070802@sec-consult.com>
Date: Wed, 30 Apr 2014 10:48:07 +0300
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20140430-0 :: SQL injection and persistent XSS
 in the Typo3 3rd party extension si_bibtex

SEC Consult Vulnerability Lab Security Advisory < 20140430-0 >
=======================================================================
              title: SQL injection and persistent XSS
            product: Typo3 3rd party extension si_bibtex
 vulnerable version: si_bibtex 0.2.3
      fixed version: -
             impact: critical
           homepage: http://typo3.org/extensions/repository/view/si_bibtex
              found: 2013-09-24
                 by: B. Schildendorfer
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"TYPO3 is an enterprise-class, Open Source CMS (Content Management System),
used internationally to build and manage websites of all types, from small
sites for non-profits to multilingual enterprise solutions for large
corporations."

Source: http://typo3.org/about/typo3-the-cms/


Software description:
---------------------
"'BibTex Publications' allows you to import Bibtex files from the front-end
and store them in a sysfolder. The front-end plug-in generates list and single
views of entries and provides a simple search tool. It allows also the
automatic import of BibTex files"

Source: http://docs.typo3.org/typo3cms/extensions/si_bibtex/0.2.3/


Business recommendation:
------------------------
By exploiting this SQL injection vulnerability, an attacker is able to gain
full access to the Typo3 database. He can use this access to crack the stored
backend user passwords which would then lead to a complete system compromise
on success. Depending on the location where the extension is used in the web
application, this may be possible by an unauthenticated attacker.

It is highly recommended to uninstall the si_bibtex extension until the
vulnerabilities are fixed.


Vulnerability overview/description:
-----------------------------------
The vulnerable plugin (si_bibtex) is used to import, export and view
bibliography files used for scientific citation. Flaws in the input validation
of this software lead to SQL injection and persistent cross-site scripting
vulnerabilities.

1) SQL injection

The bibtex "search" and "list" allows a user to display specific bibtex items.
Due to insufficient input validation of a parameter, an attacker can inject
into the SQL query statement. By exploiting this vulnerability, an
attacker gains access to all records stored in the database with the
privileges of the Typo3 database user.

2) Persistent cross-site scripting

The bibtex "import" functionality is prone to persistent cross-site scripting
attacks. The vulnerability can be used to include HTML or JavaScript code to
the affected web page. The imported XSS code will be displayed to every user
who calls the "search" or "list" functionality of this extension.



Proof of concept:
-----------------
No proof of concept code available due to missing solution/workaround.


Vulnerable / tested versions:
-----------------------------
The following version of the si_bibtex extension has been tested, which was
the most recent version at the time of discovery.
si_bibtex 0.2.3


Vendor contact timeline:
------------------------
2013-11-05: Contacting vendor through security@...o3.org
2013-11-06: Got PGP key from vendor
2013-11-11: Sent the advisory
2014-02-23: Vendor: patch delayed
2014-03-13: Deadline defined for 2014-04-11
2014-04-11: Postponing release of advisory, giving Typo3 team some more time
2014-04-30: Release of security advisory, no patch available


Solution:
---------
No patch available.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF B. Schildendorfer / @2014

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ