Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32633
HistoryOct 26, 2015 - 12:00 a.m.

[CVE-2015-5956] Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting

2015-10-2600:00:00
vulners.com
53
JSON

secunet Security Networks AG Security Advisory

Advisory: Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting

  1. DETAILS

Product: Typo3 CMS
Vendor URL: typo3.org
Type: Cross-site Scripting[CWE-79]
Date found: 2015-07-30
Date published: 2015-09-14
CVSSv2 Score: 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE: CVE-2015-5956

  1. AFFECTED VERSIONS

Typo3 6.2.14 and below
Typo3 4.5.40 and below
and other older versions may be affected too.

  1. INTRODUCTION

"With more than 500,000 installations TYPO3 CMS is the most widely used
Enterprise Content Management System, providing the basis for websites,
intranets and web & mobile applications worldwide."

(from the vendor's homepage)

  1. VULNERABILITY DETAILS

The Typo3 version branches 6.x and 4.x are vulnerable to an authenticated,
non-persistent Cross-Site Scripting vulnerability when user-supplied input
is processed by the sanitizeLocalUrl() function. While there is already a
XSS filter in place, it is possible to mitigate it by using a data URI with
a base64 encoded payload.

The payload is slightly different through the vulnerable branches, 6.x needs
a space in the data URI payload, while 4.x doesn't. In the following proof
of concepts, the javascript <script>alert('XSS')</script> is used as a
base64 encoded data URI in the "returnUrl" and "redirect_url" parameters,
which can be found throughout Typo3.

4.x Branch Proof-of-Concept:
The following request forges the "back" link in the Typo3 "Show record
history" backend module:
https://example.com/typo3/show_rechis.php?returnUrl=data:text/html;base64,PH
NjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

6.x Branch Proof-of-Concept:
Typo3 uses the payload from the "redirect_url" parameter in the HTTP
Location header and therefore "redirects" the victim to the payload after
logging in:
https://example.com/typo3/index.php?redirect_url=data:text/html;base64,&#37;20PH
NjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

7.x Branch:
The 7.x branch is basically vulnerable too, but the attacker additionally
needs to know a secret token (moduleToken), which is included in every
request in order to successfully exploit the vulnerability, which makes
exploitation unfeasible.

The following request forges the "back" link in the Typo3 "Show record
history" backend module:
https://example.com/typo3/index.php?M=record_history&amp;moduleToken=260ab28ad49
73d29e0a77d2f799e79ca3028de28&element=tt_content%3A1&returnUrl=&returnUrl=da
ta:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=

  1. SECURITY RISK

The vulnerability can be used to temporarily embed arbitrary script code
into the context of the Typo3 backend interface, which offers a wide range
of possible attacks such as stealing cookies or attacking the browser and
its components.

The exploit probability is different depending on the attacked parameters.
In order to exploit the "redirect_url" parameter, the victim only has to
login to the backend interface, while there is an even higher amount of user
interaction needed to exploit the "returnUrl" parameter, because the victim
needs to be logged in to the backend with appropriate access rights, follow
the prepared link and has to click on the "Back" button in the view.

  1. SOLUTION

Update to TYPO3 versions 6.2.15 or 7.4.0

  1. REPORT TIMELINE

2015-07-30: Vulnerability discovered
2015-08-03: CVE requested from MITRE
2015-08-04: Vendor notified
2015-08-07: CVE-2015-5956 assigned
2015-08-07: Vendor acknowledges the vulnerability
2015-09-08: Vendor releases update and security advisory
2015-09-14: Advisory released

  1. REFERENCES / CREDITS

This vulnerability was discovered and researched by Julien Ahrens from
secunet Security Networks AG.

[0]
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa
-2015-009/

secunet Security Networks AG

secunet is one of Germany's leading providers of superior IT security. In
close dialogue with its customers – enterprises, public authorities and
international organisations – secunet develops and implements
high-performance products and state-of-the-art IT security solutions. Thus,
secunet not only keeps IT infrastructures secure for its customers, but also
achieves intelligent process optimisation and creates sustainable added
value. More information about secunet can be found at:
https://www.secunet.com


secunet Security Networks AG
Kronprinzenstra?e 30
45128 Essen, Germany
Local Court of Essen HRB 13615
Board of management: Dr. Rainer Baumgart (CEO), Thomas Pleines

Related

checkpoint_advisories 1
typo3 1
prion 1
packetstorm 1
openvas 1
cve 1
ubuntucve 1
securityvulns 1
checkpoint_advisories
checkpoint_advisories
Typo3 CMS SanitizeLocalUrl Cross-Site Scripting (CVE-2015-5956)
2015-10-08 00:00:00
typo3
typo3
Non-Persistent Cross-Site Scripting
2015-09-08 00:00:00
prion
prion
Cross site scripting
2015-09-16 14:59:00
packetstorm
packetstorm
Typo3 CMS 6.2.14 / 4.5.40 Cross Site Scripting
2015-09-14 00:00:00
openvas
openvas
TYPO3 'sanitizeLocalUrl' function Cross-Site Scripting Vulnerability (SA-2015-009)
2015-10-08 00:00:00
cve
cve
CVE-2015-5956
2015-09-16 14:59:00
ubuntucve
ubuntucve
CVE-2015-5956
2015-09-16 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-10-26 00:00:00
JSON
Related for SECURITYVULNS:DOC:32633
checkpoint_advisories1typo31prion1packetstorm1openvas1cve1ubuntucve1securityvulns1