TYPO3 require函数信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196305 漏洞类型 未知
发布时间 2006-01-20 更新时间 2006-01-20
CVE编号 CVE-2006-0327 CNNVD-ID CNNVD-200601-257
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/88503
https://cxsecurity.com/issue/WLB-2006010048
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-257
|漏洞详情
TYPO3存在信息泄露漏洞,远程攻击者可以通过直接请求(1)thumbs.php、(2)showpic.php或(3)tables.php,使其错误地定义变量,并在require函数调用失败时,在出错信息中揭示路径,以此来获取敏感信息。
|漏洞EXP
----------------------------------------------------------------------
IRM Security Advisory No. 015

File system path disclosure on TYPO3 Web Content Manager

Vulnerablity Type / Importance: Information Leakage / Medium

Problem discovered: January 13th 2006
Vendor contacted: January 13th 2006
Advisory published: January 19th 2006
----------------------------------------------------------------------

Abstract:

TYPO3 is a free Open Source content management system for enterprise
purposes on the web and in intranets. It offers full flexibility and
extendability while featuring an accomplished set of ready-made interfaces,
functions and modules.

Description:

IRM has discovered an information leakage vulnerability in TYPO3 that
allows remote users to disclose the file system path of the application when
requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details:

The issue is due to the application failing to properly determine its own
physical path and therefore trying to 'require()' a wrong class file.

From init.php, line 71:
define('PATH_thisScript',str_replace('//','/', str_replace('\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERV
ER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SER
VER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCR
IPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

From the PHP manual:
"You can define a constant by using the define()-function. Once a constant
is
defined, it can never be changed or undefined"

The vulnerable files listed above fail to include init.php and the
'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\','/',
(php_sapi_name()=='cgi'||php_sapi_name()=='isapi' 
||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERV
ER['
ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? 
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SER
VER[
'PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCR
IPT_
FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib',
PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values
and any 'require()' function using these constants will not work and will
disclose the file system path.

Tested Versions:

Version 3.7.1

Vendor & Patch Information:

Contact was initially made via the TYPO3 bug reporting system on January
13th 2006. 
On January 14th a patch for the issue was published on the site 
(http://bugs.typo3.org/view.php?id=2248)

Workarounds:

IRM are not aware of any workarounds for this issue.

Credits:

Research & Advisory: Rodrigo Marcos

Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

----------------------------------------------------------------------

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420

UPDATE : 

On Thu, Jan 19, 2006 at 10:30:36AM -0000, Advisories wrote:
> File system path disclosure on TYPO3 Web Content Manager
> Vulnerablity Type / Importance: Information Leakage / Medium

Hm, since when path disclosure is "medium importance"?

> The following files were found to disclose the application path:
> http://hostname/typo3/t3lib/thumbs.php
> http://hostname/tslib/showpic.php
> http://hostname/t3lib/stddb/tables.php
> Tested Versions:
> Version 3.7.1

The first one verified as applicable to 3.8.1 too (easily
avoidable by adding IP- or user-based access restriction
to /typo3 since that's administrative backend anyways),
and the rest doesn't disclose anything on properly configured
at least display_errors-wise webserver, which is a documented
recommended (and often reiterated everywhere) PHP setup.

> Workarounds:
> IRM are not aware of any workarounds for this issue.

Ouch. :)

-- 
 ---- WBR, Michael Shigorin <mike (at) altlinux (dot) ru [email concealed]>
  ------ Linux.Kiev http://www.linux.kiev.ua/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDz+TWbsPDprYMm3IRAsTzAJ95EE3jI3vFMZfSxaeMngvXvONOjQCdEj11
M8aMdL19h8fLI3+7F4NNNXM=
=WJmd
-----END PGP SIGNATURE-----
|受影响的产品
Typo3 Typo3 3.7.1 Typo3 Typo3 3.8.1
|参考资料

来源:BUGTRAQ
名称:20060119IRM015:FilesystempathdisclosureonTYPO3WebContentManager
链接:http://www.securityfocus.com/archive/1/archive/1/422360/100/0/threaded
来源:BUGTRAQ
名称:20060119Re:IRM015:FilesystempathdisclosureonTYPO3WebContentManager
链接:http://www.securityfocus.com/archive/1/archive/1/422390/100/0/threaded
来源:MISC
链接:http://www.irmplc.com/advisory015.htm
来源:SECUNIA
名称:18546
链接:http://secunia.com/advisories/18546
来源:MISC
链接:http://bugs.typo3.org/view.php?id=2248
来源:XF
名称:typo3-multiple-path-disclosure(24244)
链接:http://xforce.iss.net/xforce/xfdb/24244
来源:OSVDB
名称:22667
链接:http://www.osvdb.org/22667
来源:OSVDB
名称:22666
链接:http://www.osvdb.org/22666
来源:OSVDB
名称:22665
链接:http://www.osvdb.org/22665
来源:VUPEN
名称:ADV-2006-0269
链接:http://www.frsirt.com/english/advisories/2006/0269
来源:SREASON
名称:361
链接:http://securityreason.com/securityalert/361