Outdated links in archived sites
reported by: Prathamesh Pawar
reported to: TYPO3 Security Team
tl;dr: "broken links" not handled as vulnerability
The TYPO3 Security Team receives reports on outdated links on archived sites from the past, like shown in the following example (citation from report):
Vulnerable page:
https://t3con13de.typo3.org/
referencing https://twitter.com/t3con13de
Impact:
Attacker can able to redirect users to his page, and he can put any content that can harm your company reputation
Mitigation:
Remove the broken link from your page or put valid link in that
Analysis
The website at t3con13de.typo3.org is a static archive (HTML dump) of the TYPO3 Conference 2013 event site. The report is basically correct - the reported site is using a reference to an orphaned Twitter account https://twitter.com/t3con13de (which now has been taken over by a researcher). This scenario - outdated links on archived sites - applies to any external link in general, not only to social media accounts.
A corresponding web archive URI at https://web.archive.org/web/20131014070807/http://t3con13de.typo3.org/ is showing the same page, archived in October 2013. This representation is the same as for the reported URL - just to emphasize the meaning and impact of archived sites.
The whole scenario expands to basically any reference, links and re-tweets mentioning orphaned Twitter account t3con13de
- that being said, it really becomes impossible to control all resources.
Security Assessment
The severity is assessed to none - low
(that's also why details are made public here with further explanation).
CVSS v3.1: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F/RL:U/RC:C/CR:X/IR:L/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X&version=3.1
- difficult to apply this score since the "attacked component" would be Twitter in this case - it is not possible to attack t3conde.typo3.org
- confidentiality: none
- availability: none
- integrity: low - or none - that really would depend or corresponding call for actions and whether a resource (the social media account) would have been actively used - however, we're 7-8 years in the past here
- let's assume the overall severity is low
Potential "Mitigation"
Modifying all archives sites is a huge and time-consuming task - without actually improving web application security in a significant way. The time difference of 7-8 years and the fact the mentioned account was using prior and during the event only reduces the impact of potential "fake news" that would have been published later... 7-8 years later.
However, nginx's substitutions module might be able to mitigate the scenario in a generic way for hosts dealing with those static website archives:
location / {
subs_filter_types text/html text/css text/xml;
subs_filter https://twitter.com/t3con13de https://rcdt.typo3.org/outdated i;
subs_filter <other orphaned account> https://rcdt.typo3.org/outdated i;
}
Appendix
The following list shows a potential subdomains that have been used for the mentioned scenarios - data was fetched using subfinder
. Custom annotations have been added manually.
subfinder -d typo3.org | ggrep -P '^(t3con|t3dd)' | sort | uniq
_ __ _ _
____ _| |__ / _(_)_ _ __| |___ _ _
(_-< || | '_ \ _| | ' \/ _ / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.
[INF] Enumerating subdomains for typo3.org
t3con.typo3.org - redirect
t3con07.typo3.org
t3con08.typo3.org
t3con09-dallas.typo3.org
t3con09-frankfurt.typo3.org - invalid
t3con09.typo3.org
t3con10-dallas.typo3.org
t3con10-frankfurt.typo3.org - invalid
t3con11-sf.typo3.org
t3con12-asia.typo3.org - invalid
t3con12de.typo3.org
t3con13de.typo3.org
t3con15eu.typo3.org
t3con16eu.typo3.org
t3con18.typo3.org
t3dd.typo3.org - redirect
t3dd07.typo3.org
t3dd08.typo3.org
t3dd09.typo3.org
t3dd10.typo3.org
t3dd11.typo3.org
t3dd12.typo3.org
t3dd13.typo3.org
t3dd14.typo3.org
t3dd15.typo3.org
t3dd16.typo3.org
t3dd17.typo3.org
t3dd18.typo3.org
t3dd19.typo3.org - invalid
subfinder -d typo3.com | ggrep -P '^(t3con|t3dd)' | sort | uniq
_ __ _ _
____ _| |__ / _(_)_ _ __| |___ _ _
(_-< || | '_ \ _| | ' \/ _ / -_) '_|
/__/\_,_|_.__/_| |_|_||_\__,_\___|_| v2.4
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[WRN] By using subfinder, you also agree to the terms of the APIs used.
[INF] Enumerating subdomains for typo3.com
t3con19.typo3.com
t3con21.typo3.com
t3dd.typo3.com - invalid events.typo3.com
t3dd19.typo3.com
t3dd20.typo3.com