lab.mogwaisecurity.de because sharing is caring...

Typo3 Extension dmmjobcontrol Multiple Vulnerabilities

Title Typo3 Extension dmmjobcontrol Multiple Vulnerabilities
Id MSA-2014-02
CVE CVE-2014-7200 (XSS), CVE-2014-7201 (SQLi)
Product dmmjobcontrol (Typo3 Extension)
Affected versions 2.14.0
Impact high
Remote yes
Product link http://typo3.org/extensions/repository/view/dmmjobcontrol
Reported 05/09/2014
By Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)

Vendor's Description of the Software:

JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs ("vacancies") on your website. It provides a list- and detail view and the ability to search and apply for jobs. It can even make RSS feeds of your joblist.

It works with html templates so it's easy to configure how the extension will look for your site. The list can be shown as a "paginated list", including a page-browser. The extension itself is multi-lingual, at this moment English, Danish, Polish, German, Russian and Dutch are included. The best feature however is that multi-lingual jobs are fully supported too, so you can provide a translation for a job if you have a multi-lingual site.

JobControl uses MM-relation tables for regions, branches, sectors etc. This means that for every new site, you can make a new list of branches to use. They are not hardcoded and don't require any TypoScript to set up.

JobControl is very easy to set up, with good default templates that can be styled to your needs using css stylesheets. It's very powerful and flexible too with lots of configuration options for advanced users.

Business recommendation:

According to the Typo3 Security Team the extension maintainer does not maintain the extension any longer and thus, is not providing an update.

Exploitation can be prevented with the workaround below. However, the extension should be replaced with a maintained alternative.

CVSS2 Rating (for CVE-2014-7201 - SQL Injection)

CVSS Base Score 7.8
Impact Subscore 6.9
Exploitability Subscore 10
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Vulnerability description

1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several input fields (for example education, region, sector) are used without proper sanitization to create the SELECT statement of the search query.

2) Reflected Cross Site Scripting (XSS)
The value of the "keyword" parameter is used without any sanitization to create the html response of the search request. This can be abused to inject malicious HTML/JavaScript code into the HTML response.

Proof of concept:

The following PoC Python script can be used to download PHP files from a attacker controlled host.

1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20

2) Reflected Cross Site Scripting (XSS)
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D="><script>alert(1);</script>

Disclosure timeline:

05/09/2014 Reporting to the Typo3 Security team
05/09/2014 Response from Typo3 Security team that they received the mail
24/09/2014 Mail to Typo3 Security team, asking for the current status
25/09/2014 Response from Typo3 Security Team that they released an advisory[1]
25/09/2014 Release of public advisory

Workaround (use on your own responsiblity):

In the file: typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php

To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the following PHP code:

$markerArray['###KEYWORD_VALUE###'] = htmlspecialchars($session['search']['keyword'], ENT_QUOTES);

To fix the SQL Injection vulnerability, replace line 257 with the following PHP code:

$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND ('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=', intval($value)).')';

References:

[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl (dmmjobcontrol) http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012

Advisory URL: https://www.mogwaisecurity.de/#lab

Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de