CVE-2011-4614 : Détail

CVE-2011-4614

Code Injection
A03-Injection
5.22%V4
Network
2012-02-18
00h00 +00:00
2024-09-17
04h24 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

PHP remote file inclusion vulnerability in Classes/Controller/AbstractController.php in the workspaces system extension in TYPO3 4.5.x before 4.5.9, 4.6.x before 4.6.2, and development versions of 4.7 allows remote attackers to execute arbitrary PHP code via a URL in the BACK_PATH parameter.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 18308

Date de publication : 2012-01-03 23h00 +00:00
Auteur : MaXe
EDB Vérifié : Yes

# Exploit Title: Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI) # Date: 4th January 2012 # Author: MaXe # Software Link: https://typo3.org/download/ # Version: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of 4.7 branch) Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI) Versions Affected: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of 4.7 branch) Info: TYPO3 is a small to midsize enterprise-class Content Management Framework offering the best of both worlds: out-of-the-box operation with a complete set of standard modules and a clean and sturdy high-performance architecture accomodating virtually every kind of custom solution or extension. External Links: http://typo3.org/ Credits: Björn Pedersen and Christian Toffolo who discovered and reported the issue and the Security Team member Helmut Hummel for providing the patch. (This advisory was rewritten by MaXe @InterN0T to offer a quick overview of the vulnerability, including the removal of all irrelevant and untrue details. -:: The Advisory ::- Requirements for any RCE: - register_globals in the php.ini MUST be enabled (if the exploit fails against a supposed to be vulnerable version, this is why. This setting is often disabled by default.) Requirements for RFI: - allow_url_include has to be enabled (It's often "off" by default.) Proof of Concept: By browsing to a script / page, that uses the following file: typo3/sysext/workspaces/Classes/Controller/AbstractController.php (direct access may not be allowed) It is possible to include PHP code to be executed via the "BACK_PATH" global variable. This can be accessed in ways like: AbstractController.php?BACK_PATH=LFI/RFI%00 The vulnerable piece of code: require_once($GLOBALS['BACK_PATH'] . 'template.php'); Demonstrates, that it is necessary to append a null-byte ( %00 ) after the maliciously crafted input / URL. (Unless your remote file if applicable, is named something.template.php) -:: Solution ::- * Update to the latest version of Typo3 OR change the vulnerable piece of code to: require_once(PATH_site . TYPO3_mainDir . 'template.php'); References: - http://typo3.org/fileadmin/security-team/bug32571/32571.diff - https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/ - http://news.typo3.org/news/article/important-security-bulletin-pre-announcement-2/

Products Mentioned

Configuraton 0

Typo3>>Typo3 >> Version 4.5

Typo3>>Typo3 >> Version 4.5.1

Typo3>>Typo3 >> Version 4.5.2

Typo3>>Typo3 >> Version 4.5.3

Typo3>>Typo3 >> Version 4.5.4

Typo3>>Typo3 >> Version 4.5.5

Typo3>>Typo3 >> Version 4.5.6

Typo3>>Typo3 >> Version 4.5.7

Typo3>>Typo3 >> Version 4.5.8

Configuraton 0

Typo3>>Typo3 >> Version 4.6

Typo3>>Typo3 >> Version 4.6.1

Références

http://www.osvdb.org/77776
Tags : vdb-entry, x_refsource_OSVDB
http://secunia.com/advisories/47201
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.openwall.com/lists/oss-security/2011/12/16/1
Tags : mailing-list, x_refsource_MLIST
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.