subject:"Bug#702669\: TYPO3\-CORE\-SA\-2013\-001\: SQL Injection and Open Redirection in TYPO3 Core"

Bug#702669: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

2013-03-09 Thread Carlos Alberto Lopez Perez

On 09/03/13 22:43, Carlos Alberto Lopez Perez wrote:
> It has been discovered that TYPO3 Core is susceptible to SQL Injection
> and Open Redirection.
> 
> Here is the relevant information:
> 
> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/
> 
> A CVE number was asked at: http://seclists.org/oss-sec/2013/q1/611

Forgot to mention that the SQL Injection is being exploited on the wild.

"""
Note: It has been reported to the TYPO3 Security Team that this problem
is known and exploited in the wild.
"""

signature.asc
Description: OpenPGP digital signature

Bug#702669: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

2013-03-09 Thread Carlos Alberto Lopez Perez

Package: typo3
Version: 4.3.9+dfsg1-1+squeeze7
Severity: grave
Tags: security, upstream


Hi,


It has been discovered that TYPO3 Core is susceptible to SQL Injection
and Open Redirection.

Here is the relevant information:

https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/

A CVE number was asked at: http://seclists.org/oss-sec/2013/q1/611



The patch that fixes the SQL Injection is the following:

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/d00f4b6523507db3c4c7601cf7758333c8290c1d

However, to make it apply over the older typo3 at Squeeze you have to
apply it first the following ones:

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/76f0c979dd5d221807c086cb7a4eb912055d8318

http://git.typo3.org/TYPO3v4/CoreProjects/MVC/extbase.git/commitdiff/68a2f3d653d77d8ed9a283e30f07e6f718c18f19


I'm attaching the file 10-SecBull-TYPO3-CORE-SA-2013-001.patch that is
ready to drop on debian/patches that is the result of applying, in
order, the above commits:

* 76f0c979dd5d221807c086cb7a4eb912055d8318
* 68a2f3d653d77d8ed9a283e30f07e6f718c18f19
* d00f4b6523507db3c4c7601cf7758333c8290c1d


For the another issue of the security bulletin (open redirection issue),
the relevant commit seems to be
http://git.typo3.org/TYPO3v4/Core.git/commit/71135d82ccb74b3ccf8673ce197cd8c4340d5163
but I don't have a backport of it to squeeze.


Typo3 at squeeze-backports and wheezy is also affected.


Regards!
--- a/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
+++ b/typo3/sysext/extbase/Classes/Persistence/Storage/Typo3DbBackend.php
@@ -494,18 +494,17 @@
 $typeOfRelation = $columnMap->getTypeOfRelation();
 if ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_AND_BELONGS_TO_MANY) {
 	$relationTableName = $columnMap->getRelationTableName();
-	$sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=' . $this->getPlainValue($operand2) . ')';
+	$sql['where'][] = $tableName . '.uid IN (SELECT ' . $columnMap->getParentKeyFieldName() . ' FROM ' . $relationTableName . ' WHERE ' . $columnMap->getChildKeyFieldName() . '=?)';
+	$parameters[] = intval($this->getPlainValue($operand2));
 } elseif ($typeOfRelation === Tx_Extbase_Persistence_Mapper_ColumnMap::RELATION_HAS_MANY) {
 	$parentKeyFieldName = $columnMap->getParentKeyFieldName();
 	if (isset($parentKeyFieldName)) {
-		$columnName = $this->dataMapper->convertPropertyNameToColumnName($operand1->getPropertyName(), $source->getNodeTypeName());
 		$childTableName = $columnMap->getChildTableName();
-		$sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=' . $this->getPlainValue($operand2) . ')';
+		$sql['where'][] = $tableName . '.uid=(SELECT ' . $childTableName . '.' . $parentKeyFieldName . ' FROM ' . $childTableName . ' WHERE ' . $childTableName . '.uid=?)';
+		$parameters[] = intval($this->getPlainValue($operand2));
 	} else {
-		$statement = '(' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . ',%\'';
-		$statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'%,' . $this->getPlainValue($operand2) . '\'';
-		$statement .= ' OR ' . $tableName . '.' . $operand1->getPropertyName() . ' LIKE \'' . $this->getPlainValue($operand2) . ',%\')';
-		$sql['where'][] = $statement;
+		$sql['where'][] = 'FIND_IN_SET(?,' . $tableName . '.' . $columnName . ')';
+		$parameters[] = intval($this->getPlainValue($operand2));
 	}
 } else {
 	throw new Tx_Extbase_Persistence_Exception_RepositoryException('Unsupported relation for contains().', 1267832524);
@@ -830,9 +829,9 @@
 	 */
 	protected function parseLimitAndOffset($limit, $offset, array &$sql) {
 		if ($limit !== NULL && $offset !== NULL) {
-			$sql['limit'] = $offset . ', ' . $limit;
+			$sql['limit'] = intval($offset) . ', ' . intval($limit);
 		} elseif ($limit !== NULL) {
-			$sql['limit'] = $limit;
+			$sql['limit'] = intval($limit);
 		}
 	}
 


signature.asc
Description: OpenPGP digital signature

Bug#702669: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

Bug#702669: TYPO3-CORE-SA-2013-001: SQL Injection and Open Redirection in TYPO3 Core

2 matches

Site Navigation

Mail list logo

Footer information