Project

General

Profile

Actions

Bug #79697

closed

ImageTragick - CVE-2016-3714

Added by Alvaro Folgado almost 8 years ago. Updated almost 8 years ago.

Status:
Rejected
Priority:
Must have
Assignee:
-
Category:
Security
Target version:
Start date:
2017-02-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.1
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

Hello typo3CMS staff,

I am a security engineer performing some research, and I would like to communicate some security issues with your software.

I have already contacted security team by private message and they told me that they cannot fix the checking of magic bytes in the core of the CMS, and they offered me to post here the issue.
They asked me not to share the payload, but a simple google search will give anyone a working payload to run commands in a vulnerable operating system (this bug is a command injection, is easy to exploit).

This issue is serious, the solution give to avoid it should not be only to rely in a updated operating system software and imagemagick. Web server logic should check for the image content. Since there is a lot of people that can be using the cms in vulnerable systems.

I have found a security issue: Remote Code Execution, in your last typo3 version (2.4.1).

This RCE is triggered thanks to imagemagick issue (CVE-2016-3714).
This has been discover by uploading images of different extensions in the main file uploading tool that the cms give to the administrator, but that could be used by plain users to upload avatars,etc.

By uploading a ".svg" image file with the following content:

*[banned]*

Could let to an Remote Code Execution from basic users (since for example uploading avatar and loading the image will trigger the vulnerability).

The right mitigation will be to check "magic bytes" on image upload, so we should avoid the injection of this kind of payload instead of a true image.

Tested on:

Os > Debian 4.8.11-1kali1 (2016-12-08) x86_64

PhP > PHP 7.0.14-2

Mysql > Ver 14.14 Distrib 5.6.30, for debian-linux-gnu (x86_64)

typo3CMS > 7.6.15 ==> Moss probably version 8 of Typo3 will have same issues

Thank you for your attention, and I hope to have an answer back soon,
Alvaro Folgado

Actions #1

Updated by Helmut Hummel almost 8 years ago

  • Assignee deleted (Helmut Hummel)
Actions #2

Updated by Helmut Hummel almost 8 years ago

  • Status changed from New to Rejected
  • Tags deleted (Remote Code Execution)

it should not be only to rely in a updated operating system software and imagemagick

I disagree and it seems, I'm not alone with that opinion: https://www.drupal.org/node/2718305 https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-information/

If processing of SVGs is not needed, TYPO3 can be configured to not allow upload files with this extensions or this extension can be removed from image processing. I consider these mitigation within TYPO3 to be sufficient.

Actions

Also available in: Atom PDF