Bug #81361

File dump in TYPO3 BE insecure because login status is not checked

Added by Alexander Bohndorf about 2 years ago. Updated 4 months ago.

Status:
New
Priority:
Should have
Assignee:
Category:
Backend User Interface
Start date:
2017-05-29
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Dear TYPO3 team,

we found a security issue in the Filelist module in TYPO3 BE in all TYPO3 versions from 6.2 to 7.x and 8.6:

You can create a File Storage with "Path type" set to "absolute" and "Base path" pointing to a secure directory outside of docroot, "Is publicly available?" left unchecked.
You can upload files in File list module, f.e. a csv file with sensitive data.
When you preview this file with with a click on the "Show" icon, a new browser tab opens with an URL like: "/index.php?eID=dumpFile&t=f&f=2&token=ea0aa41c84835250308254959470650ac4d66bbf", dumping your file contents.

The security issue is that you can also open this URL without being logged in as TYPO3 BE user without any authentication process.

That means, that a TYPO3 BE user could unsuspectingly preview this sensitive file f.e. with a Google Chrome browser which will potentially index this file just because the URL is entered into Chrome and suddenly it becomes publicly available.
Imagine, this could be personal data as credit card informations, account details etc.

The issue could be solved in two ways:
a) use a separate dump script for TYPO3 BE with authentication check
b) use a hook to add authentication if the exising dump script is called in TYPO3 BE.

I implemented an extension for variant b) and attached it. This will fix this issue as it checks if a BE-User is logged in and if he has access to the file storage and if the file storage is browsable and active before dumping the file.

Best regards,

Alexander

sms_securedump_1.0.0_201703020953.zip - Extension to check user credentials, access rights and login status before dump (2.95 KB) Alexander Bohndorf, 2017-05-29 11:04

History

#1 Updated by Frans Saris about 2 years ago

  • Status changed from New to Rejected

Hi,

The checkbox "Is publicly available" doesn't state the storage is secured. But only that there is no direct public link to the files in the storage and TYPO3 should proxy all files called in this storage.

This is also documented this way see: https://docs.typo3.org/typo3cms/FileAbstractionLayerReference/Administration/Storages/Index.html?highlight=restrictions#file-storages

Besides the extension you provide there is also a extension available in TER that can help you with securing your assets https://typo3.org/extensions/repository/view/fal_securedownload

#2 Updated by Alexander Bohndorf about 2 years ago

  • Assignee set to Frans Saris

Hi Frans,

thanks for your quick response!
Please note that the described behaviour happens in the TYPO3 backend, I didn't mention this (documented) behaviour in FE.

So if you are logged in as TYPO3 BE user then you can create a file storage with a directory outside of docroot and your file storage seems to be save against being accessed from frontend without authentication.
The preview link in filelist in BE calls the eId-Script which is usally used only in FE context AND which has no checks for being logged in as BE user (because it is not a BE script).
If you call this link with f.e. Google Chrome then it could be indexed by Google and become available for any (unauthorized) user who gets this link. Even if you never added a link to this eid script in your frontend. Only because you clicked the preview link in filelist in the TYPO3 BE.
So you don't have any possibility for a really secure preview in TYPO3 BE with a proper authentication check for BE users without installing an extension.
This is an unexpected, unwanted and undocumented behaviour.

And I'm not sure if the extension fal_securedownload really addresses this issue in the TYPO3 BE.
Anyway, in my opinion the TYPO3 Core should handle this without the need of any extension.

What do you think about it?

#3 Updated by Alexander Bohndorf about 2 years ago

The extension https://typo3.org/extensions/repository/view/fal_securedownload does not fix this issue in TYPO3 BE.

Please reopen this issue.

#4 Updated by Frans Saris over 1 year ago

Why does this not fix the issue in the BE?

When the storage is set as non public and the folder is outside the webroot the files are only accessable through the file dump EID script. And a with the extension installed the files are not accessible by Google etc when you set the permission on file/folder.

So if you are logged in as TYPO3 BE user then you can create a file storage with a directory outside of docroot and your file storage seems to be save against being accessed from frontend without authentication.
....
So you don't have any possibility for a really secure preview in TYPO3 BE with a proper authentication check for BE users without installing an extension.
This is an unexpected, unwanted and undocumented behaviour.

As mentioned before the "Is publicly available?" checkbox hasn't anything to do with authentication or security. It only enables the eID script that works as a proxy when the files are not directly accessable.

Anyway, in my opinion the TYPO3 Core should handle this without the need of any extension.

It could be a option to integrate an extension like ext:fal_securedownload into the core. But I personally don't really see a problem with having it as separate extension where anyone is free to choose the wanted behavior/functionality. But will address this next week during the core team meeting.

#5 Updated by Frans Saris over 1 year ago

  • Status changed from Rejected to New

During our core team meeting we decided we want to integrate the functionality like ext:fal_securedownload brings, into the core.

#6 Updated by Benni Mack 4 months ago

  • Target version changed from next-patchlevel to Candidate for patchlevel

Also available in: Atom PDF