Bug #17213
closed
Storing ENABLE_INSTALL_TOOL in typo3conf is possibly insecure
0%
Description
Since TYPO3 Version 4.1 the install tool can be enabled by placing an empty file ENABLE_INSTALL_TOOL in the typo3conf folder.
The directory typo3conf itself has to be writeable for the webserver (temp files, extensions, etc.). A possible attack would utilize an insecure extension or user generated php-code etc. to create this file, since the webserver has sufficient rights to do so!
The functionality in earlier versions was more secure concerning this attack, since the install tools index.php itself had to be changed and is not webserver writeable by default. But the old behaviour is not desireable in any way, because it was not possible to selectively enable the install tool on a single site.
Fixing this issue would mean to store the file in a folder that is not writeable for the webserver (needless to say, this depends on individual file permissions), e.g. htdocs or even some other directory outside htdocs.
Change
-------------------------------------------
$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
----------------- to ----------------------
$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/ENABLE_INSTALL_TOOL';
(issue imported from #M5440)
Updated by Oliver Hader over 17 years ago
You can still disable the install tool globally by inserting a die() to typo3/install/index.php or just removing the folder typo3/install/.
According to the scenario you described:
If there is an extension or any other insecure part of a website which allows to write new files and fill them with code, it probably would also be possible to write PHP code to that file. Thus, the install tool isn't required any more to cause damage to a site. This could be done directly by calling this newly created file via browser (e.g. typo3conf/malware.php).
IMO the website admin has to take care which (insecure) extensions are installed and to upgrade the server environment (apache, libs, whatever) to the latest secure releases. Just my two cents, what do others think?
Updated by Christopher Hlubek over 17 years ago
Of course you can still disable the install tool (the comment in line 49 says exactly that :) ), but i think many users just use the defaults and don't change the typo3_src files, not to mention securing their installs according to the "TYPO3 Security Cookbook".
Personally, I appreciate the new approach, since you don't need to enable all likeinstall tools for every site using the source at once! One the other side the new way is more insecure than the old way in allowing more possible attacks.
Updated by Michael Stucki over 17 years ago
I don't get your point about this. Do you suggest to remove the functionality, or would you like to keep it?
Obviously the feature is just as secure as the installation itself is. If you are paranoid, edit typo3/install/index.php like you had to do before. It's just the default setting that has changed.
Updated by Christian Kuhn over 15 years ago
Resolved, no change required:
- No further feedback for a long time
- Install tool can easily be disabled in typo3/install/index.php in line 50 by making the if statement evaluate to true.
- An attacker who gains access to the system through core / extensions probably doesn't need to access the install tool to evolve further malicious actions.
Updated by