Phishing Attack gets real: Reposting WordFence Post
April 14, 2017
The importance of checking layer one and two
April 18, 2017
Show all

WEC Security ALERT: Typo3 SQL Injection

Typo3 SQL Injection NEWS extension

Connectivity.Engineer in its Partnership with Hop Off A Cloud – the entity which took over the hosting for Typo3USA and Web Empowered Church (WEC) has made notification to each of its WEC Typo3 platform users regarding an Exploit of the Typo3 / Web Empowered Church platform.

The News module, used by ALL WEC INSTALLS as well as being the 20th most used module of TYPO3, is subject to an SQL injection vulnerability.    Sadly the author of the module has been contacted numerous times in the span of 4 months, no fix has been provided.   After numerous requests – the details of the SQL injection have been released to the Typo3 Community at large.

it should be noted that the vulnerability is only present when the module’s setting overrideDemand is set to 1, which is the case by default.

 

The module is organized as an MVC architecture. As

As a user, you’re allowed to list and read news.

The former allows to define criteria to filter out news, such as the author, categories, date of publication, etc.

To learn more about the actual exploit itself – Please visit the blog post from the folks @ Ambionics.IO
https://www.ambionics.io/blog/typo3-news-module-sqli

Perhaps one of the most discouraging portion about this exploit is the case where the author/developer of this Extension has NOT responded:

Timeline

  • 2017-01-05 Sent email to TYPO3’s security team, reporting exploitation via DateField (same vector, just easier)
  • 2017-01-20 Vulnerability acknowledged, TYPO3 says it has been patched
  • 2017-01-25 Reporting exploitation via OrderByAllowed
  • 2017-04-05 Still no answer after numerous tries

 

Patch

The best way to patch this is to block users from changing the demand parameters by setting overrideDemandto zero. Another way would be to block keys containing any case-variation and URL-encoding of OrderByAllowed from GET and POST.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *