Bug #85875

Issues in ThumbnailController

Added by Oliver Hader over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Backend API
Target version:
Start date:
2018-08-16
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

  • information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)
  • denial of service (dimensions, basically whole configuration can be arbitrary)

Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19

Solution: Add HMAC to all HTTP request parameters.

PoC

XSRF Token has to be adjusted in the links below

Information Disclosure

http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=

Denial of Service

http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=

Associated revisions

Revision 5dbcb5da (diff)
Added by Oliver Hader over 1 year ago

[SECURITY] Ensure validity of parameters submitted to ThumbnailController

Parameters submitted to ThumbnailController via HTTP GET query parameters
can contain arbitrary information. Thus, it has to be verified that those
parameters are valid by signing them with a HMAC.

Prior to that the source code was vulnerable to information disclosure as
well as denial of service attacks due to unsanitized user input. A valid
backend user account was required in order to make use of these flaws.

Since the change which introduced this behavior was not released yet, the
security fixes are handled in public without additional announcements.

Resolves: #85875
Releases: master, 8.7
Change-Id: Ia53ba3756f140b0728b8fd1fb7e0527836639a6b
Reviewed-on: https://review.typo3.org/57943
Tested-by: TYPO3com <>
Reviewed-by: Mathias Brodala <>
Reviewed-by: Wouter Wolters <>
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>

Revision 0200fec9 (diff)
Added by Oliver Hader over 1 year ago

[SECURITY] Ensure validity of parameters submitted to ThumbnailController

Parameters submitted to ThumbnailController via HTTP GET query parameters
can contain arbitrary information. Thus, it has to be verified that those
parameters are valid by signing them with a HMAC.

Prior to that the source code was vulnerable to information disclosure as
well as denial of service attacks due to unsanitized user input. A valid
backend user account was required in order to make use of these flaws.

Since the change which introduced this behavior was not released yet, the
security fixes are handled in public without additional announcements.

Resolves: #85875
Releases: master, 8.7
Change-Id: Ia53ba3756f140b0728b8fd1fb7e0527836639a6b
Reviewed-on: https://review.typo3.org/57953
Tested-by: TYPO3com <>
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>
Reviewed-by: Frank Naegler <>
Tested-by: Frank Naegler <>

History

#1 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#2 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#3 Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#4 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#5 Updated by Oliver Hader over 1 year ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (T3-03: Information Disclosure)

#6 Updated by Oliver Hader over 1 year ago

  • Priority changed from Should have to Must have

#7 Updated by Oliver Hader over 1 year ago

  • Category set to Backend API
  • Target version set to 8.7.19
  • PHP Version set to 7.2

#8 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#9 Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#10 Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#11 Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943

#12 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57953

#13 Updated by Oliver Hader over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#14 Updated by Benni Mack about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF