CVE-2020-11069 in TYPO3
Summary
by MITRE
In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be used by an attacker. The vulnerability is basically a cross-site request forgery (CSRF) triggered by a cross-site scripting vulnerability (XSS) - but happens on the same target host - thus, it's actually a same-site request forgery. Malicious payload such as HTML containing JavaScript might be provided by either an authenticated backend user or by a non-authenticated user using a third party extension, e.g. file upload in a contact form with knowing the target location. To be successful, the attacked victim requires an active and valid backend or install tool user session at the time of the attack. This has been fixed in 9.5.17 and 10.4.2. The deployment of additional mitigation techniques is suggested as described below. - Sudo Mode Extension This TYPO3 extension intercepts modifications to security relevant database tables, e.g. those storing user accounts or storages of the file abstraction layer. Modifications need to confirmed again by the acting user providing their password again. This technique is known as sudo mode. This way, unintended actions happening in the background can be mitigated. - https://github.com/FriendsOfTYPO3/sudo-mode - https://extensions.typo3.org/extension/sudo_mode - Content Security Policy Content Security Policies tell (modern) browsers how resources served a particular site are handled. It is also possible to disallow script executions for specific locations. In a TYPO3 context, it is suggested to disallow direct script execution at least for locations /fileadmin/ and /uploads/.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2020
The vulnerability identified as CVE-2020-11069 represents a critical same-site request forgery (SSRF) flaw affecting TYPO3 CMS versions 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1. This security weakness operates through a sophisticated attack vector that combines elements of cross-site scripting and cross-site request forgery, creating a unique threat landscape within the TYPO3 ecosystem. The vulnerability specifically targets the backend user interface and install tool components, where authenticated users can be manipulated into executing malicious actions through carefully crafted payloads. The flaw stems from inadequate CSRF protection mechanisms that fail to properly validate request origins, allowing attackers to exploit existing user sessions without requiring authentication credentials. This vulnerability is categorized under CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, and aligns with ATT&CK technique T1059.007 for JavaScript execution within web applications.
The technical implementation of this vulnerability occurs when a backend user interacts with malicious content that has been previously uploaded to the web server by an attacker. The malicious resource, typically containing HTML with embedded JavaScript, executes within the context of the victim's active user session, effectively granting the attacker elevated privileges. The attack requires that the target victim maintains an active backend or install tool session, making it particularly dangerous in environments where administrators frequently access the TYPO3 interface. The vulnerability's exploitation pathway demonstrates the dangerous intersection of XSS and CSRF, where the XSS component allows payload delivery and the CSRF component enables unauthorized actions. This combination creates a scenario where an attacker can leverage a single compromised session to perform administrative actions, including creating new administrator accounts that can be directly controlled by the attacker. The vulnerability's classification as a same-site request forgery indicates that the malicious request originates from the same target host, making traditional browser-based CSRF protections less effective.
The operational impact of CVE-2020-11069 extends far beyond simple data theft, potentially leading to complete system compromise and persistent access for attackers. When successful, the vulnerability allows attackers to create new administrative accounts with full system privileges, effectively providing them with a backdoor that can be used for ongoing unauthorized access. The ability to execute scripts with backend user privileges means that attackers can modify system configurations, access sensitive data, manipulate content, and potentially escalate their access to other systems within the network. The vulnerability's exploitation also demonstrates the importance of session management and authentication controls in content management systems, as the attack vector specifically targets authenticated sessions. This flaw represents a significant risk to organizations relying on TYPO3 CMS, particularly those with multiple administrators or complex backend configurations where session hijacking could lead to complete system takeover. The vulnerability's impact is particularly severe in environments where administrators regularly interact with the TYPO3 backend interface, as the attack window for exploitation is relatively broad.
The remediation for CVE-2020-11069 requires immediate deployment of the official patches released in TYPO3 versions 9.5.17 and 10.4.2, which address the core CSRF protection deficiencies in the backend interface and install tool components. Organizations should prioritize patching their TYPO3 installations to prevent exploitation, as the vulnerability has been actively exploited in the wild. Additional mitigation strategies include implementing the sudo mode extension, which provides an additional layer of security by requiring password confirmation for modifications to security-critical database tables. This extension effectively prevents unauthorized administrative actions by requiring explicit user authentication for sensitive operations, making it particularly effective against automated exploitation attempts. The sudo mode extension can be obtained from the official TYPO3 extension repository and provides a robust defense-in-depth mechanism for protecting against unauthorized changes to user accounts and system configurations. Another critical mitigation technique involves implementing Content Security Policies that restrict script execution in sensitive directories such as /fileadmin/ and /uploads/. These policies help prevent malicious scripts from executing even if they are successfully uploaded to the server, providing an additional protective barrier against exploitation. The combination of these mitigation strategies creates a comprehensive defense approach that addresses both the immediate vulnerability and potential future exploitation attempts. Organizations should also conduct thorough security audits of their TYPO3 installations, review access controls, and monitor for unauthorized administrative activities. Regular security assessments and user access reviews are essential components of a comprehensive security program that helps prevent exploitation of similar vulnerabilities in the future.