what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Typo3 JobControl 2.14.0 Cross Site Scripting / SQL Injection

Typo3 JobControl 2.14.0 Cross Site Scripting / SQL Injection
Posted Sep 26, 2014
Authored by Hans-Martin Muench

Typo3 JobControl version 2.14.0 suffers from cross site scripting and remote SQL injection vulnerabilities. Typo3 no longer provides updates for this extension and it is considered unsafe to use.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | fd26ba8328d734e82a7dea5f7dff200a5a1a0a8862c060bfd070948aa195c3db

Typo3 JobControl 2.14.0 Cross Site Scripting / SQL Injection

Change Mirror Download
Mogwai Security Advisory MSA-2014-02
----------------------------------------------------------------------
Title:              JobControl (dmmjobcontrol) Multiple Vulnerabilities
Product:            dmmjobcontrol (Typo3 Extension)
Affected versions:  2.14.0
Impact:             high
Remote:             yes
Product link:       https://typo3.org/extensions/repository/view/dmmjobcontrol
Reported:           05/09/2014
by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs
("vacancies") on your website. It provides a list- and detail view and
the ability to search and apply for jobs. It can even make RSS feeds of
your joblist.

It works with html templates so it's easy to configure how the extension
will look for your site. The list can be shown as a "paginated list",
including a page-browser. The extension itself is multi-lingual, at this
moment English, Danish, Polish, German, Russian and Dutch are included.
The best feature however is that multi-lingual jobs are fully supported
too, so you can provide a translation for a job if you have a multi-lingual
site.

JobControl uses MM-relation tables for regions, branches, sectors etc.
This means that for every new site, you can make a new list of branches to
use. They are not hardcoded and don't require any TypoScript to set up.

JobControl is very easy to set up, with good default templates that can
be styled to your needs using css stylesheets. It's very powerful and
flexible too with lots of configuration options for advanced users.


Business recommendation:
----------------------------------------------------------------------
According to the Typo3 Security Team the extension maintainer does not
maintain the extension any longer and thus, is not providing an update.

Exploitation can be prevented with the workaround below. However, the
extension should be replaced with a maintained alternative.

Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several
input fields (for example education, region, sector) are used without
proper sanitization to create the SELECT statement of the search query.

2) Reflected Cross Site Scripting (XSS)
The value of the "keyword" parameter is used without any sanitization
to create the html response of the search request. This can be abused
to inject malicious HTML/JavaScript code into the HTML response.


Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
https://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20

2) Reflected Cross Site Scripting (XSS)
https://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D=">

Vulnerable / tested versions:
----------------------------------------------------------------------
dmmjobcontrol 2.14.0


Disclosure timeline:
----------------------------------------------------------------------
05/09/2014: Reporting to the Typo3 Security team
05/09/2014: Response from Typo3 Security team that they received the mail
24/09/2014: Mail to Typo3 Security team, asking for the current status
25/09/2014: Response from Typo3 Security Team that they released an advisory[1]
25/09/2014: Release of public advisory


Workaround (use on your own responsiblity):
----------------------------------------------------------------------
In the file:
typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php

To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the
following PHP code:
$markerArray['###KEYWORD_VALUE###'] =
htmlspecialchars($session['search']['keyword'], ENT_QUOTES);

To fix the SQL Injection vulnerability, replace line 257 with the following
PHP code:
$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND
('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=',
intval($value)).')';


References:
----------------------------------------------------------------------
[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl
(dmmjobcontrol)
https://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012

Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

Tel. +49 731 205 89 0
Fax +49 731 205 89 29
info@mogwaisecurity.de


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close