TYPO3 11.5.24 - Path Traversal (Authenticated)

Exploit Author: Saeed reza Zamanian Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2024-03-18 
# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated)
# Date: Apr 9, 2023
# Exploit Author: Saeed reza Zamanian
# Software Link: https://get.typo3.org/release-notes/11.5.24
# Version: 11.5.24
# Tested on: Kali 2022.3
# CVE : CVE-2023-30451


 In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel),
 to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through :
 POST /typo3/record/edit with ../../../ and the parameter
  data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
  
-----------------------------------------------------
To exploit this vulnerability, follow these steps:

1. Log in to the administrator panel.
2. Navigate to 'file' > 'Filelist' section.
3. Right-click on a file storage and select 'New.'
4. Set the base URI to "../../../" and save.

After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server.

To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.


TYPO3 11.5.24 — Authenticated Path Traversal (CVE-2023-30451)

This article explains the authenticated path traversal vulnerability disclosed for TYPO3 11.5.24 (CVE-2023-30451). It covers the technical root cause at a high level, impact and risk considerations, safe detection and remediation strategies, and developer-level hardening guidance. The goal is to help site owners, administrators, and developers understand the issue and respond without sharing exploit details.

Quick summary

Item Details
Vulnerability Authenticated path traversal allowing reading of arbitrary files via a file storage configuration field
CVE CVE-2023-30451
Affected version TYPO3 11.5.24 (reported)
Access required Authenticated user with access to the TYPO3 backend/admin panel
Impact Information disclosure: ability to read arbitrary files on the web server within file system permission limits
Mitigation Apply vendor patches or upgrade to a fixed TYPO3 release; sanitize/validate storage base paths; restrict backend access

What happened (high level)

The vulnerability emerged from insufficient validation of a configurable field used by TYPO3's file storage/filelist component. An authenticated backend user could supply a crafted directory reference in that field which the application accepted and used to resolve filesystem paths. Because the input was not properly canonicalized or constrained to a storage root, the system could be induced to present directories and files outside the expected area, leading to disclosure of sensitive files readable by the web server process.

Why this is important

  • Authenticated access: the attack requires backend access, so compromised or overly-broad admin accounts increase risk.
  • Arbitrary file read: attackers could view configuration files, credentials, private keys, or other sensitive data accessible to the web user.
  • Post-exploitation impact: leaked files may enable further compromise (credential reuse, lateral movement, privilege escalation).

Risk factors to consider

  • Number and privileges of backend accounts—many or weak accounts raise exposure.
  • Server filesystem layout and file permissions—what files are readable by the web user?
  • Presence of sensitive files in web root or adjacent directories (configuration files, database credentials, SSH keys).

Safe detection and auditing

Focus on defensive measurements: discover whether vulnerable configurations were created, look for suspicious values in file storage records, and review access logs for anomalous backend activity. Below are practical, non-actionable detection tips.

  • Search the TYPO3 database for storage configuration values that include unexpected path traversal patterns or sequences. Example defensive query (adjust to your DB schema and test in a safe environment):
-- Defensive example: find storage entries with traversal sequences
SELECT uid, title, configuration
FROM sys_file_storage
WHERE configuration LIKE '%..%';

Explanation: This SQL is a defensive query to help administrators locate file storage configuration entries that contain parent-directory markers. It helps identify suspicious or maliciously-modified storage records that should be reviewed or corrected.

  • Review backend activity logs for configuration changes made by administrators around the time of suspicious storage entries.
  • Check webserver access logs for requests to the backend filelist or storage-management interfaces coming from unusual IPs or at odd hours.
  • Confirm whether any unexpected file views occurred by correlating application logs with access timestamps.

Remediation and mitigation

Prioritize patching and apply vendor-supplied fixes. If immediate upgrading isn't possible, apply the following mitigations to reduce exposure.

  • Upgrade: Apply the official TYPO3 security patch or upgrade to a vendor-fixed release as documented by the TYPO3 security advisory.
  • Harden backend access: restrict access to the TYPO3 backend by IP allowlisting, VPN, or network segmentation; enforce strong passwords and multi-factor authentication for all administrative accounts.
  • Audit and revert suspicious storage entries: remove or correct any storage/base-path configurations that are not expected or that contain parent-directory markers.
  • WAF and filtering: deploy or tune web application firewall rules to block suspicious backend update attempts and to limit requests that attempt to alter storage configurations.
  • Least privilege: ensure the web server user has the minimum filesystem permissions necessary; avoid storing sensitive secrets in locations readable by the webserver process.

Developer guidance and hardening

At the application level, prevent path traversal and protect filesystem operations by using canonicalization, allowlists, and strict validation. The following code shows a defensive PHP function to validate and normalize a submitted storage base path and ensure it resides inside an allowed root. This is an example of a server-side check you can add; adapt it to your framework and environment.

<?php
/**
 * Validate and normalize a candidate base path to prevent directory traversal.
 * Returns the safe absolute path if valid, or null if the value is rejected.
 *
 * @param string $candidatePath  User-supplied path fragment
 * @param string $allowedRoot    Absolute path to allowed storage root (no trailing slash)
 * @return string|null
 */function normalizeBasePath(string $candidatePath, string $allowedRoot): ?string
{
    // Disallow null bytes and normalize directory separators
    $candidatePath = str_replace("\0", '', $candidatePath);
    $candidatePath = str_replace(['\\', '/'], DIRECTORY_SEPARATOR, $candidatePath);

    // Prepend the allowed root to create an absolute path candidate
    $abs = $allowedRoot . DIRECTORY_SEPARATOR . ltrim($candidatePath, DIRECTORY_SEPARATOR);

    // Resolve symbolic links and normalize .. segments
    $real = realpath($abs);

    // realpath may return false if the path does not exist; treat missing paths as invalid
    if ($real === false) {
        return null;
    }

    // Ensure the resolved path is inside the allowed root
    if (strpos($real, $allowedRoot) === 0) {
        return $real;
    }

    // Otherwise, reject to prevent traversal outside the root
    return null;
}
?>

Explanation: This function demonstrates a defensive approach. It builds an absolute path using a known allowed root, invokes realpath to canonicalize the result (resolving ../ and symlinks), and then checks that the canonical path begins with the allowed root. If any check fails, it rejects the input. Note: in production code handle non-existent paths according to your policy (create directories only after validation, log attempts, and avoid auto-creating paths that bypass checks).

Operational recommendations

  • Implement strict change control and approval for backend configuration changes.
  • Monitor audit logs for attempts to modify file storage settings and set up alerts for unusual edits.
  • Rotate secrets and review credentials if you suspect that sensitive files were accessed.
  • Maintain a tested incident response plan that includes forensic capture of relevant logs, DB exports, and system images prior to remediation where appropriate.

Post-incident checklist

  • Confirm all instances are patched or upgraded to the fixed TYPO3 release.
  • Review and sanitize storage configuration entries; remove any unexpected base-path values.
  • Audit accounts with backend access; revoke unused accounts and force password resets where indicated.
  • Search for suspicious file downloads or data exfiltration; restore from backups if necessary and validate backups.

Further reading and resources

  • TYPO3 official security advisories and release notes — consult the TYPO3 website for authoritative guidance and the exact fixed version.
  • OWASP guidance on path traversal and input validation.
  • Best practices for secure file handling: canonicalization, allowlists, and principle of least privilege.

Address this vulnerability by following vendor guidance, applying patches promptly, and strengthening access controls and input validation. Defensive detection and developer hardening are essential to prevent similar issues in the future.