TYPO3 CMS 4.0 (showUid) exploit - not a vulnerability

Posted in exploit/TYPO3/ on August 06, 2009 by Marcus.

Today, a "TYPO3 exploit" appeared on a well-known exploits platform/database website.

The title is TYPO3 CMS 4.0 (showUid) Remote SQL Injection Vulnerability.

Quote:
Vulnerability:
http://www.host.com/index.php?id=[xxx][showUid]=[SQL-injection]&cHash=[xxx]
SQL-injection:
-1+union+select+username,2,password,4,5,6,7+from+be_users--
Admin Panel: /typo3/index.php

The fact that I'm actually writing on it once again prooves that there is no such vulnerability.

 

In detail:

First of all, the TYPO3 4.0 branch is quite old but still supported in regards to security fixes. If you are using a TYPO3 4.0.X version, you might consider to upgrade to at least 4.1 branch. Soon, the new TYPO3 minor version 4.3.0 will be published which means end of support for TYPO3 4.0.

The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core. Together with the tslib_pibase library, showUid is used to display single (database) record details. The library provides access to the parameter value; it's up to the extension developer to sanitize all user-supplied input before they are used in e.g. database queries. The TYPO3 Security Team section on the typo3.org website provides several tutorials on this topic.

The exploit request example does not and will not work as such - not on one single TYPO3 installation out there. It always needs a TYPO3 third-party extension to be involved.

Additionally, a blackhat has to be really lucky because he needs to find a vulnerable TYPO3 extension first. Good luck with that - the TYPO3 Security Team does its best to keep the official TYPO3 extension repository clean.

If I were the guy who has uploaded this useless piece of "exploit code", I'd be pretty embarrassed now.

Considering above mentioned facts, the "exploit code" is more like a general article on SQL injection. Nothing more.

Conclusion: TYPO3 users don't have to worry about it.