The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Mogwai Security Advisory MSA-2014-02
----------------------------------------------------------------------
Title: JobControl (dmmjobcontrol) Multiple Vulnerabilities
Product: dmmjobcontrol (Typo3 Extension)
Affected versions: 2.14.0
Impact:high
Remote:yes
Product link:http://typo3.org/extensions/repository/view/dmmjobcontrol
Reported:05/09/2014
by:Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs
("vacancies") on your website. It provides a list- and detail view and
the ability to search and apply for jobs. It can even make RSS feeds of
your joblist.
It works with html templates so it's easy to configure how the extension
will look for your site. The list can be shown as a "paginated list",
including a page-browser. The extension itself is multi-lingual, at this
moment English, Danish, Polish, German, Russian and Dutch are included.
The best feature however is that multi-lingual jobs are fully supported
too, so you can provide a translation for a job if you have a multi-lingual
site.
JobControl uses MM-relation tables for regions, branches, sectors etc.
This means that for every new site, you can make a new list of branches to
use. They are not hardcoded and don't require any TypoScript to set up.
JobControl is very easy to set up, with good default templates that can
be styled to your needs using css stylesheets. It's very powerful and
flexible too with lots of configuration options for advanced users.
Business recommendation:
----------------------------------------------------------------------
According to the Typo3 Security Team the extension maintainer does not
maintain the extension any longer and thus, is not providing an update.
Exploitation can be prevented with the workaround below. However, the
extension should be replaced with a maintained alternative.
Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several
input fields (for example education, region, sector) are used without
proper sanitization to create the SELECT statement of the search query.
2) Reflected Cross Site Scripting (XSS)
The value of the "keyword" parameter is used without any sanitization
to create the html response of the search request. This can be abused
to inject malicious HTML/JavaScript code into the HTML response.
Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20
2) Reflected Cross Site Scripting (XSS)
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D=">
Vulnerable / tested versions:
----------------------------------------------------------------------
dmmjobcontrol 2.14.0
Disclosure timeline:
----------------------------------------------------------------------
05/09/2014: Reporting to the Typo3 Security team
05/09/2014: Response from Typo3 Security team that they received the mail
24/09/2014: Mail to Typo3 Security team, asking for the current status
25/09/2014: Response from Typo3 Security Team that they released an advisory[1]
25/09/2014: Release of public advisory
Workaround (use on your own responsiblity):
----------------------------------------------------------------------
In the file:
typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php
To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the
following PHP code:
$markerArray['###KEYWORD_VALUE###'] =
htmlspecialchars($session['search']['keyword'], ENT_QUOTES);
To fix the SQL Injection vulnerability, replace line 257 with the following
PHP code:
$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND
('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=',
intval($value)).')';
References:
----------------------------------------------------------------------
[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl
(dmmjobcontrol)
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
Tel. +49 731 205 89 0
Fax +49 731 205 89 29
[email protected]
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum