|Title||Typo3 Extension dmmjobcontrol Multiple Vulnerabilities|
|CVE||CVE-2014-7200 (XSS), CVE-2014-7201 (SQLi)|
|Product||dmmjobcontrol (Typo3 Extension)|
|By||Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)|
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs ("vacancies") on your website. It provides a list- and detail view and the ability to search and apply for jobs. It can even make RSS feeds of your joblist.
It works with html templates so it's easy to configure how the extension will look for your site. The list can be shown as a "paginated list", including a page-browser. The extension itself is multi-lingual, at this moment English, Danish, Polish, German, Russian and Dutch are included. The best feature however is that multi-lingual jobs are fully supported too, so you can provide a translation for a job if you have a multi-lingual site.
JobControl uses MM-relation tables for regions, branches, sectors etc. This means that for every new site, you can make a new list of branches to use. They are not hardcoded and don't require any TypoScript to set up.
JobControl is very easy to set up, with good default templates that can be styled to your needs using css stylesheets. It's very powerful and flexible too with lots of configuration options for advanced users.
According to the Typo3 Security Team the extension maintainer does not maintain the extension any longer and thus, is not providing an update.
Exploitation can be prevented with the workaround below. However, the extension should be replaced with a maintained alternative.
|CVSS Base Score||7.8|
|CVSS v2 Vector||(AV:N/AC:L/Au:N/C:C/I:N/A:N)|
1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several input fields (for example education, region, sector) are used without proper sanitization to create the SELECT statement of the search query.
2) Reflected Cross Site Scripting (XSS)
The following PoC Python script can be used to download PHP files from a attacker controlled host.
1) Unauthenticated Blind SQL Injection The following PoC shows blind based SQL injection on the sector parameter, other parameters are also vulnerable http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20 2) Reflected Cross Site Scripting (XSS) http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D="><script>alert(1);</script>
|05/09/2014||Reporting to the Typo3 Security team|
|05/09/2014||Response from Typo3 Security team that they received the mail|
|24/09/2014||Mail to Typo3 Security team, asking for the current status|
|25/09/2014||Response from Typo3 Security Team that they released an advisory|
|25/09/2014||Release of public advisory|
In the file: typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php
To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the following PHP code:
$markerArray['###KEYWORD_VALUE###'] = htmlspecialchars($session['search']['keyword'], ENT_QUOTES);
To fix the SQL Injection vulnerability, replace line 257 with the following PHP code:
$whereAdd = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND ('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=', intval($value)).')';
 TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl (dmmjobcontrol) http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012
Advisory URL: https://www.mogwaisecurity.de/#lab
Mogwai, IT-Sicherheitsberatung Muench
89075 Ulm (Germany)