* (security) Fixed bug #8674: Vulnerability of security bulletin typo3-20080611-1...
authorMichael Stucki <michael.stucki@typo3.org>
Wed, 11 Jun 2008 07:35:48 +0000 (07:35 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Wed, 11 Jun 2008 07:35:48 +0000 (07:35 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-0@3804 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_basicfilefunc.php
t3lib/class.t3lib_befunc.php
t3lib/class.t3lib_extfilefunc.php
t3lib/config_default.php
t3lib/stddb/tables.php
typo3/sysext/cms/tbl_tt_content.php

index 0c08121..72518ca 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@
 
 2008-06-11  Michael Stucki  <michael@typo3.org>
 
+       * (security) Fixed bug #8674: Vulnerability of security bulletin typo3-20080611-1: Default value of fileDenyPattern allows arbitrary code execution on Apache (Patch by Henning Pingel, thanks!)
        * (security) Fixed a low-severity Cross Site Scripting issue in fe_adminLib.inc. For details, see http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/ - thanks to Christian Seifert, Jeroen van Iddekinge and Arnd Messer for discovering and reporting this issue.
 
 2008-04-03  Ingmar Schlecht  <ingmar@typo3.org>
index cf8c0cc..9e0fdea 100644 (file)
@@ -113,7 +113,7 @@ class t3lib_basicFileFunctions      {
         *
         *      A typical example of the array $f_ext is this:
         *              $f_ext['webspace']['allow']='';
-        *              $f_ext['webspace']['deny']='php3,php';
+        *              $f_ext['webspace']['deny']= PHP_EXTENSIONS_DEFAULT;
         *              $f_ext['ftpspace']['allow']='*';
         *              $f_ext['ftpspace']['deny']='';
         *      The control of fileextensions goes in two catagories. Webspace and Ftpspace. Webspace is folders accessible from a webbrowser (below TYPO3_DOCUMENT_ROOT) and ftpspace is everything else.
index bdb594d..e22b8fa 100755 (executable)
@@ -3515,6 +3515,16 @@ class t3lib_BEfunc       {
                                $warnings[] = 'The encryption key is not set! Set it in <a href="'.$url.'">$TYPO3_CONF_VARS[SYS][encryptionKey]</a>';
                        }
 
+                               // Check if fileDenyPattern was changed which is dangerous on Apache
+                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT ) {
+                               $warnings[] = 'The value of fileDenyPattern is not set to its default value:<br /><pre>'.htmlspecialchars(FILE_DENY_PATTERN_DEFAULT).'</pre><br />If TYPO3 is running on Apache, a customized value might enable backend or frontend users to execute malicious PHP scripts.';
+                       }
+
+                               // Check if fileDenyPattern allows to upload .htaccess files which is dangerous on Apache
+                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && t3lib_div::verifyFilenameAgainstDenyPattern('.htaccess')) {
+                               $warnings[] = 'The current value of fileDenyPattern allows to upload/create files with the name ".htaccess". If TYPO3 is running on Apache, this enables backend or frontend users to create and execute PHP scripts. Please reset the value of fileDenyPattern to its default.';
+                       }
+
                                // check if there are still updates to perform
                        if (!t3lib_div::compat_version(TYPO3_branch))   {
                                $url = 'install/index.php?redirect_url=index.php'.urlencode('?TYPO3_INSTALL[type]=update');
index 1e5b45a..8d57aeb 100755 (executable)
@@ -94,7 +94,7 @@
  * You are allowed to copy/move folders between spaces (web/ftp) IF the destination has it's f_ext[]['allow'] set to '*'!
  *
  * Advice:
- * You should always exclude php-files from the webspace. This will keep people from uploading, copy/moving and renaming files to the php3/php-extension.
+ * You should always exclude php-files from the webspace. This will keep people from uploading, copy/moving and renaming files to become executable php scripts.
  * You should never mount a ftp_space 'below' the webspace so that it reaches into the webspace. This is because if somebody unzips a zip-file in the ftp-space so that it reaches out into the webspace this will be a violation of the safety
  * For example this is a bad idea: you have an ftp-space that is '/www/' and a web-space that is '/www/htdocs/'
  *
@@ -504,7 +504,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                        return $theDestFile;
                                                                } else $this->writelog(2,2,109,'File "%s" WAS NOT copied to "%s"! Write-permission problem?',Array($theFile,$theDestFile));
                                                        } else  $this->writelog(2,1,110,'Target or destination was not within your mountpoints! T="%s", D="%s"',Array($theFile,$theDestFile));
-                                               } else $this->writelog(2,1,111,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theDest.'/'));
+                                               } else $this->writelog(2,1,111,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'],$theDest.'/'));
                                        } else $this->writelog(2,1,112,'File "%s" already exists!',Array($theDestFile));
                                } else $this->writelog(2,1,113,'File "%s" exceeds the size-limit of %s bytes',Array($theFile,$this->maxCopyFileSize*1024));
                        } else $this->writelog(2,1,114,'You are not allowed to copy files','');
@@ -594,7 +594,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                        return $theDestFile;
                                                                } else $this->writelog(3,2,109,'File "%s" WAS NOT moved to "%s"! Write-permission problem?',Array($theFile,$theDestFile));
                                                        } else $this->writelog(3,1,110,'Target or destination was not within your mountpoints! T="%s", D="%s"',Array($theFile,$theDestFile));
-                                               } else $this->writelog(3,1,111,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theDest.'/'));
+                                               } else $this->writelog(3,1,111,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'],$theDest.'/'));
                                        } else $this->writelog(3,1,112,'File "%s" already exists!',Array($theDestFile));
                                } else $this->writelog(3,1,113,'File "%s" exceeds the size-limit of %s bytes',Array($theFile,$this->maxMoveFileSize*1024));
                        } else $this->writelog(3,1,114,'You are not allowed to move files','');
@@ -669,7 +669,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                                $this->writelog(5,0,1,'File renamed from "%s" to "%s"',Array($fileInfo['file'],$theNewName));
                                                                                                return $theRenameName;
                                                                                        } else $this->writelog(5,1,100,'File "%s" was not renamed! Write-permission problem in "%s"?',Array($theTarget,$fileInfo['path']));
-                                                                               } else $this->writelog(5,1,101,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                                                               } else $this->writelog(5,1,101,'Extension of file name "%s" was not allowed!',Array($fI['file']));                                                                              } else $this->writelog(5,1,101,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
                                                                        } else $this->writelog(5,1,102,'You are not allowed to rename files!','');
                                                                } elseif ($type=='dir') {
                                                                        if ($this->actionPerms['renameFolder']) {
@@ -745,7 +745,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                        return $theNewFile;
                                                                                } else $this->writelog(8,1,100,'File "%s" was not created! Write-permission problem in "%s"?',Array($fI['file'], $theTarget));
                                                                        } else $this->writelog(8,1,107,'Fileextension "%s" is not a textfile format! (%s)',Array($fI['fileext'], $extList));
-                                                               } else $this->writelog(8,1,106,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                                               } else $this->writelog(8,1,106,'Extension of file name "%s" was not allowed!',Array($fI['file']));
                                                        } else $this->writelog(8,1,101,'File "%s" existed already!',Array($theNewFile));
                                                } else $this->writelog(8,1,102,'Destination path "%s" was not within your mountpoints!',Array($theTarget.'/'));
                                        } else $this->writelog(8,1,103,'You are not allowed to create files!','');
@@ -780,7 +780,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                return TRUE;
                                                        } else $this->writelog(9,1,100,'File "%s" was not saved! Write-permission problem in "%s"?',Array($theTarget,$fileInfo['path']));
                                                } else $this->writelog(9,1,102,'Fileextension "%s" is not a textfile format! (%s)',Array($fI['fileext'], $extList));
-                                       } else $this->writelog(9,1,103,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                       } else $this->writelog(9,1,103,'Extension of file name "%s" was not allowed!',Array($fI['file']));
                                } else $this->writelog(9,1,104,'You are not allowed to edit files!','');
                        } else $this->writelog(9,1,121,'Destination path "%s" was not within your mountpoints!',Array($fileInfo['path']));
                } else $this->writelog(9,2,123,'Target "%s" was not a file!',Array($theTarget));
@@ -816,7 +816,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                return $theNewFile;
                                                                        } else $this->writelog(1,1,100,'Uploaded file could not be moved! Write-permission problem in "%s"?',Array($theTarget.'/'));
                                                                } else $this->writelog(1,1,101,'No unique filename available in "%s"!',Array($theTarget.'/'));
-                                                       } else $this->writelog(1,1,102,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theTarget.'/'));
+                                                       } else $this->writelog(1,1,102,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'], $theTarget.'/'));
                                                } else $this->writelog(1,1,103,'Destination path "%s" was not within your mountpoints!',Array($theTarget.'/'));
                                        } else $this->writelog(1,1,104,'The uploaded file exceeds the size-limit of %s bytes',Array($this->maxUploadFileSize*1024));
                                } else $this->writelog(1,1,105,'You are not allowed to upload files!','');
index 93d4a19..ba2b576 100755 (executable)
 
 if (!defined ('PATH_typo3conf'))       die ('The configuration path was not properly defined!');
 
+//Security related constant: Default value of fileDenyPattern
+define('FILE_DENY_PATTERN_DEFAULT', '\.php[3-6]?(\..*)?$|^\.htaccess$');
+
+//Security related constant: Comma separated list of file extensions that should be registered as php script file extensions
+define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6');
+
 $TYPO3_CONF_VARS = Array(
        'GFX' => array(         // Configuration of the image processing features in TYPO3. 'IM' and 'GD' are short for ImageMagick and  GD library respectively.
                'image_processing' => 1,                                // Boolean. Enables image processing features. Disabling this means NO image processing with either GD or IM!
@@ -70,7 +76,7 @@ $TYPO3_CONF_VARS = Array(
                'curlProxyTunnel' => 0,                                 // Boolean: If set, use a tunneled connection through the proxy (usefull for websense etc.).
                'curlProxyUserPass' => '',                              // String: Proxyserver authentication user:pass.
                'form_enctype' => 'multipart/form-data',        // String: This is the default form encoding type for most forms in TYPO3. It allows for file uploads to be in the form. However if file-upload is disabled for your PHP version even ordinary data sent with this encryption will not get to the server. So if you have file_upload disabled, you will have to change this to eg. 'application/x-www-form-urlencoded'
-               'textfile_ext' => 'txt,html,htm,css,inc,php,php3,tmpl,js,sql',  // Text file extensions. Those that can be edited. php,php3 cannot be edited in webspace if they are disallowed! Notice:
+               'textfile_ext' => 'txt,html,htm,css,inc,tmpl,js,sql,' . PHP_EXTENSIONS_DEFAULT, // Text file extensions. Those that can be edited. Executable PHP files may not be editable in webspace if disallowed!
                'contentTable' => '',                                   // This is the page-content table (Normally 'tt_content')
                'T3instID' => 'N/A',                                    // A unique installation ID - not used yet. The idea is that a TYPO3 installation can identify itself by this ID string to the Extension Repository on TYPO3.org so that we can keep a realistic count of serious TYPO3 installations.
                'binPath' => '',                                                // String: List of absolute paths where external programs should be searched for. Eg. '/usr/local/webbin/,/home/xyz/bin/'. (ImageMagick path have to be configured separately)
@@ -149,13 +155,13 @@ $TYPO3_CONF_VARS = Array(
                        // The control is done like this: If an extension matches 'allow' then the check returns true. If not and an extension matches 'deny' then the check return false. If no match at all, returns true.
                        // You list extensions comma-separated. If the value is a '*' every extension is matched
                        // If no fileextension, true is returned if 'allow' is '*', false if 'deny' is '*' and true if none of these matches
-                       // This configuration below accepts everything in ftpspace and everything in webspace except php3 or php files
+                       // This configuration below accepts everything in ftpspace and everything in webspace except files with an extension from PHP_EXTENSIONS_DEFAULT
                'fileExtensions' => array (
-                       'webspace' => array('allow'=>'', 'deny'=>'php,php3,php4,php5'),
+                       'webspace' => array('allow'=>'', 'deny'=> PHP_EXTENSIONS_DEFAULT ),
                        'ftpspace' => array('allow'=>'*', 'deny'=>'')
                ),
                'customPermOptions' => array(),                 // Array with sets of custom permission options. Syntax is; 'key' => array('header' => 'header string, language splitted', 'items' => array('key' => array('label, language splitted', 'icon reference', 'Description text, language splitted'))). Keys cannot contain ":|," characters.
-               'fileDenyPattern' => '\.php$|\.php.$',  // A regular expression that - if it matches a filename - will deny the file upload/rename or whatever in the webspace. Matching with eregi() (case-insensitive).
+               'fileDenyPattern' => FILE_DENY_PATTERN_DEFAULT ,        // A regular expression that - if it matches a filename - will deny the file upload/rename or whatever in the webspace. For security reasons, files with multiple extensions have to be denied on an Apache environment with mod_alias, if the filename contains a valid php handler in an arbitary position. Also, ".htaccess" files have to be denied. Matching with eregi() (case-insensitive). Default value is stored in constant FILE_DENY_PATTERN_DEFAULT
                'interfaces' => 'backend',                                      // This determines which interface options is available in the login prompt and in which order (All options: ",backend,frontend")
                'useOnContextMenuHandler' => 1,                 // Boolean. If set, the context menus (clickmenus) in the backend are activated on right-click - although this is not a XHTML attribute!
                'loginLabels' => 'Username|Password|Interface|Log In|Log Out|Backend,Front End|Administration Login on ###SITENAME###|(Note: Cookies and JavaScript must be enabled!)|Important Messages:|Your login attempt did not succeed. Make sure to spell your username and password correctly, including upper/lowercase characters.',          // Language labels of the login prompt.
index f19e6b7..5293d24 100755 (executable)
@@ -459,6 +459,9 @@ $FILEICONS = Array (
        'tgz' => 'zip.gif',
        'gz' => 'zip.gif',
        'php3' => 'php3.gif',
+       'php4' => 'php3.gif',
+       'php5' => 'php3.gif',
+       'php6' => 'php3.gif',
        'php' => 'php3.gif',
        'ttf' => 'ttf.gif',
        'pcx' => 'pcx.gif',
index 64c0c1b..f5e6b15 100755 (executable)
@@ -789,7 +789,7 @@ $TCA['tt_content'] = Array (
                                'type' => 'group',
                                'internal_type' => 'file',
                                'allowed' => '',        // Must be empty for disallowed to work.
-                               'disallowed' => 'php,php3',
+                               'disallowed' => PHP_EXTENSIONS_DEFAULT,
                                'max_size' => '10000',
                                'uploadfolder' => 'uploads/media',
                                'show_thumbs' => '1',