TYPO3 Core

Hello typo3CMS staff,

I am a security engineer performing some research, and I would like to communicate some security issues with your software.

I have already contacted security team by private message and they told me that they cannot fix the checking of magic bytes in the core of the CMS, and they offered me to post here the issue.
They asked me not to share the payload, but a simple google search will give anyone a working payload to run commands in a vulnerable operating system (this bug is a command injection, is easy to exploit).

This issue is serious, the solution give to avoid it should not be only to rely in a updated operating system software and imagemagick. Web server logic should check for the image content. Since there is a lot of people that can be using the cms in vulnerable systems.

I have found a security issue: Remote Code Execution, in your last typo3 version (2.4.1).

This RCE is triggered thanks to imagemagick issue (CVE-2016-3714).
This has been discover by uploading images of different extensions in the main file uploading tool that the cms give to the administrator, but that could be used by plain users to upload avatars,etc.

By uploading a ".svg" image file with the following content:

*[banned]*

Could let to an Remote Code Execution from basic users (since for example uploading avatar and loading the image will trigger the vulnerability).

The right mitigation will be to check "magic bytes" on image upload, so we should avoid the injection of this kind of payload instead of a true image.

Tested on:

Os > Debian 4.8.11-1kali1 (2016-12-08) x86_64

PhP > PHP 7.0.14-2

Mysql > Ver 14.14 Distrib 5.6.30, for debian-linux-gnu (x86_64)

typo3CMS > 7.6.15 ==> Moss probably version 8 of Typo3 will have same issues

Thank you for your attention, and I hope to have an answer back soon,
Alvaro Folgado