Developing Extensions
     With Security in Mind


                      Tutorial

            Henning Pingel
         <he...
Welcome!



                              Have a great time
                                at T3CON08!




2   Developing...
Overview
   Intro                                             (15 mins)
   Dangers of URI Tampering                     ...
Why a tutorial?
●   Four times more time than in a talk
●   More time for questions and discussion




    4   Developing ...
Who am I and who are you?
●   This tutorial is officially targeted at extension
    developers.
●   How many extensions ha...
The TYPO3 Security Team
●   On T3DD08 in
    Elmshorn
    (incomplete)
●   Often happy
    about secure
    software, but
...
...unhappy about insecure extensions




7   Developing extensions with security in mind
    Henning Pingel, October 09, 2...
Security Bulletins in 2008 (so far)
           TYPO3-20080924-2, TYPO3-20080924-1,
           TYPO3-20080919-1, TYPO3-2008...
Dangers of URI Tampering




●   There are infinite possibilities to fill the URI bar of
    the web browser.
●   “Try eve...
Information Disclosure
●   through certain files of content-type
     –   text/plain or
     –   text/html
●   through PHP...
TYPO3 Extensions...
●   ... often consist of a large number of files.
●   Those files can contain different “flavours” of
...
12   Developing extensions with security in mind
     Henning Pingel, October 09, 2008, T3CON08
Target Groups of Files in
                  Extensions
●   Images, CSS and HTML-Templates are there to be
    served to th...
Possible Impact
●   All extension's files are accessible via HTTP on a
    TYPO3 default installation. (.htaccess protecti...
The Fresh Milk Metaphor




                                                   How to get the milk with the
              ...
Harmless Example
tt_news Changelog File: A piece of information...
●   ...that is available from any T3 site using tt_news...
Example for Information
                 Disclosure      I use this real life
                                 example wit...
Best Practice


 If your extension really needs to generate a file to
       store data (like traces, logs, configuration
...
Directly Executable PHP Scripts
              and Includes
●   Visible PHP/MySQL error messages
●   Are TYPO3's mechanisms...
Example
●   Extension ftpbrowser (similar to quixplorer)
●   Bulletin was released in July 2007
●   Version 0.1.2 and belo...
How to prevent script execution
      outside of TYPO3 context?
●   Best case: All PHP code is wrapped in a class, class i...
rd
         Embedding 3 Party Tools in
             TYPO3 Extensions
                                                     ...
URI-Tampering: A Small Dilemma?
●   TYPO3 V4 Extension architecture is “like it is”, but it
    is the same situation for ...
Questions?




24   Developing extensions with security in mind
     Henning Pingel, October 09, 2008, T3CON08
Demystifying HTTP Requests

         How important is knowledge about HTTP?

               Every web server is a HTTP ser...
Experienced web
                                                   Evil hacker
        developer



                    ? ...
TYPOSCRIPT                                         SQL Injection
                                                         ...
TYPOSCRIPT                                         SQL Injection
                                                         ...
The Christmas Wish-list Metaphor
                                                   North pole




       Christmas Wish-l...
User-Agent                                        Web server




                            HTTP Request




            ...
Talking to a Web Server
●   Common HTTP request types
     –   GET
     –   POST
●   Differences between GET and POST?



...
A Short (but valid) GET Request
GET /go/dummy­4.2.2/ HTTP/1.1
Host: localhost

Contains information:
   ● Request type ...
The Most Basic POST Request
POST /go/dummy­4.2.2/index.php?id=1&no_cache=1 HTTP/1.1
Host: localhost
Content­Type: applic...
Further Common Request Fields
  ●   User-Agent                            Caution: These values can
  ●   Referer         ...
HTTP Tools for Firefox
●   Extensions for monitoring requests
     –   FireBug (output looks nice, but is often not comple...
Hand Crafting a HTTP Request
      Using Ancient Technologies
●   Why using telnet?
     –   Easy way to communicate via T...
Examples




                                           Demo




37   Developing extensions with security in mind
     Hen...
DIY Phase
●   The USB stick data contains a PDF with short
    instructions.
●   Alternatives:
     –   Analyse the source...
On Windows: Use PuTTy




●   Putty.exe is on the USB stick, just start it
●   Download: http://www.chiark.greenend.org.uk...
Grab a Coffee!


         We will continue with the tutorial at 11:45.




40   Developing extensions with security in min...
What Did We Learn?
●   HTTP server has no way to enforce specific user
    agent.
●   No way to hide sensitive data by GET...
Impact of Unsanitized
                  User Input


                              What is user input?


                 ...
PHP Superglobals
●   $_GET
●   $_POST
●   $_REQUEST (configurable mixture)
●   $_FILE
●   $_COOKIE
●   $_SERVER




43    ...
The Evolution of
                           Superglobals
 Extension          tslib_pibase::piVars (selection with prefix)
...
Methods of Validation
●   Cut out line breaks (where not acceptable)
●   String length checks (too long?)
●   Type checks ...
Sanitization
                    on TYPOSCRIPT Level
●   Sanitization of user supplied content
     –   when rendered into...
Vulnerability Types




       ...that are created by unsanitized user input




47   Developing extensions with security ...
SQL Injections
●   Prerequisite: Unsanitized user input is used inside of
    an SQL query string
●   Sanitization methods...
Code Execution /
    Remote or Local File Execution
●   Prerequisite: Unsanitized user input is used
     –   inside of an...
Path Traversal (“../../../”)
●   Prerequisite: Unsanitized user input is used to create
    the path to a file in the file...
Cross Site Scripting (XSS)
●   Prerequisite: Unsanitized user input is inserted into
    the HTML page
●   Sanitization me...
Open Redirects
●   Prerequisite: Unsanitized user input of type “URI” is
    used inside of a generated HTTP response head...
CRLF Injection
●   Prerequisite: Unsanitized user input is used to
    generate a dynamic HTTP response header.
●   Saniti...
Check Reliability of Sanitization
       Methods by Tests


                              How? Let's discuss.



         ...
Security Incident Handling

●   Contact us: security@typo3.org
●   Case 1: You have found an issue in your own
    extensi...
Thank You!




56   Developing extensions with security in mind
     Henning Pingel, October 09, 2008, T3CON08
Upcoming SlideShare
Loading in...5
×

Developing TYPO3 Extensions With Security In Mind

5,113

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,113
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Developing TYPO3 Extensions With Security In Mind

  1. 1. Developing Extensions With Security in Mind Tutorial Henning Pingel <henning@typo3.org> T3CON08, Berlin October 09, 2008 1 (Last update of slides: October 16, 2008)
  2. 2. Welcome! Have a great time at T3CON08! 2 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  3. 3. Overview  Intro (15 mins)  Dangers of URI Tampering (30 mins)  Demystifying HTTP Requests (45 mins)  Coffee Break (30 mins)  Unsanitized User Input (45 mins)  Security Issue Handling (15 mins)  Discussion (30 mins) 3 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  4. 4. Why a tutorial? ● Four times more time than in a talk ● More time for questions and discussion 4 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  5. 5. Who am I and who are you? ● This tutorial is officially targeted at extension developers. ● How many extensions have you written? ● How many vulnerability types do you know and understand? – 1 to 4 – 5 to 10 5 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  6. 6. The TYPO3 Security Team ● On T3DD08 in Elmshorn (incomplete) ● Often happy about secure software, but sometimes... 6 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  7. 7. ...unhappy about insecure extensions 7 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  8. 8. Security Bulletins in 2008 (so far) TYPO3-20080924-2, TYPO3-20080924-1, TYPO3-20080919-1, TYPO3-20080916-1, TYPO3-20080701-4, TYPO3-20080701-3, TYPO3-20080701-2, TYPO3-20080701-1, TYPO3-20080619-1, TYPO3-20080611-1, TYPO3-20080527-2, TYPO3-20080527-1, TYPO3-20080515-2, TYPO3-20080515-1, TYPO3-20080513-4, TYPO3-20080513-3, TYPO3-20080513-2, TYPO3-20080513-1, TYPO3-20080505-2, TYPO3-20080505-1, TYPO3-20080416-2, TYPO3-20080416-1 8 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  9. 9. Dangers of URI Tampering ● There are infinite possibilities to fill the URI bar of the web browser. ● “Try everything you want and see what happens.” 9 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  10. 10. Information Disclosure ● through certain files of content-type – text/plain or – text/html ● through PHP script files – directly executable PHP includes or – forgotten debug scripts 10 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  11. 11. TYPO3 Extensions... ● ... often consist of a large number of files. ● Those files can contain different “flavours” of information. ● Not all files within an extension are addressed at the same group of people. ● Metaphorically speaking, an extension can be a box of... 11 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  12. 12. 12 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  13. 13. Target Groups of Files in Extensions ● Images, CSS and HTML-Templates are there to be served to the frontend, to the whole world. ● Some images may only be there to be displayed in a backend module. ● SXW-Files, readme files, trace files are addresses to the administrator. ● Artefacts: files uploaded by accident (*.bak files, project files, subversion files) 13 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  14. 14. Possible Impact ● All extension's files are accessible via HTTP on a TYPO3 default installation. (.htaccess protection is beyond the scope of this tutorial.) ● File structure is publicly available on Extension Repository (TER). But this is not the problem! ● Impact: Information Disclosure may be possible through Forced browsing and File location guessing. ● Is there a real life metaphor for these terms? 14 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  15. 15. The Fresh Milk Metaphor How to get the milk with the best best-before date... 15 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  16. 16. Harmless Example tt_news Changelog File: A piece of information... ● ...that is available from any T3 site using tt_news (via Forced browsing) ● ...that is of no interest for the ordinary visitor of a web site. ● ...that contains information about which version of an extension is used. 16 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  17. 17. Example for Information Disclosure I use this real life example with the kind permission of Extension w4x_backup [Demo] the extension's author. Thank you! ● Bulletin was published in June 2007 ● Version 0.9.1 and below are vulnerable ● Version 0.9.2 contains security fixes ● Details: Bulletin TYPO3-20070612-1 ● Impact: In worst case, download of backup archive (containing db and file backup) ● Log file (with static filename and path) contains file name of backup archive 17 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  18. 18. Best Practice If your extension really needs to generate a file to store data (like traces, logs, configuration settings), avoid Information Disclosure by avoiding content-types text/plain or text/html. Put it into a dynamically generated PHP script with a .php file extension and also avoid guessable file names. 18 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  19. 19. Directly Executable PHP Scripts and Includes ● Visible PHP/MySQL error messages ● Are TYPO3's mechanisms of authentication, user privilege checks and permission checks respected before their code get's executed? 19 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  20. 20. Example ● Extension ftpbrowser (similar to quixplorer) ● Bulletin was released in July 2007 ● Version 0.1.2 and below are vulnerable I use this real life example with the ● Version 0.1.3 contains security fixes kind permission of the extension's author. Thank you! ● Bulletin TYPO3-20070709-1 ● Impact: Incorrect Authentication allows file upload if register_globals is activated in php.ini. ● You may analyse the code yourself in DIY phase. 20 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  21. 21. How to prevent script execution outside of TYPO3 context? ● Best case: All PHP code is wrapped in a class, class is not instantiated in file, nothing can happen. ● die() if some elemental TYPO3 constant doesn't exist (Example, or search TYPO3 core code for more examples) ● Backend modules: $BE_USER->modAccess($MCONF,1); 21 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  22. 22. rd Embedding 3 Party Tools in TYPO3 Extensions rd ● Everything already said also applies to 3 party tools. ● Additional problems: – Different authentication concepts (Example: Folder based authentication contra file based authentication. – Different architecture: Direct access to Superglobals – Different user types / session management – Keep up with upstream security announcements ● Example cases: phpmailer, mysqldumper, phpmyadmin 22 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  23. 23. URI-Tampering: A Small Dilemma? ● TYPO3 V4 Extension architecture is “like it is”, but it is the same situation for many currently popular web application. ● An extension developer can still prevent all vulnerabilities through careful design. ● Site administrators may put rules into a .htaccess file that prevent access to files via HTTP. ● FLOW3 / TYPO3 V5 have a different architecture. 23 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  24. 24. Questions? 24 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  25. 25. Demystifying HTTP Requests How important is knowledge about HTTP? Every web server is a HTTP server... Understanding HTTP basics as the key to web application security Demystifying HTTP means demystifying the web browser 25 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  26. 26. Experienced web Evil hacker developer ? ? 26 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  27. 27. TYPOSCRIPT SQL Injection techniques HTML/CSS ? PHP Backdoor ? XSS techniques installation AJAX 27 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  28. 28. TYPOSCRIPT SQL Injection techniques HTML/CSS HTTP PHP HTTP XSS Backdoor installation techniques AJAX 28 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  29. 29. The Christmas Wish-list Metaphor North pole Christmas Wish-list No letter without an answer! A nice pressy 29 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  30. 30. User-Agent Web server HTTP Request HTTP Response 30 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  31. 31. Talking to a Web Server ● Common HTTP request types – GET – POST ● Differences between GET and POST? 31 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  32. 32. A Short (but valid) GET Request GET /go/dummy­4.2.2/ HTTP/1.1 Host: localhost  Contains information: ● Request type (GET) ● Absolute path of URI ( /go/dummy-4.2.2/ ) ● Protocol version (HTTP/1.1) ● Network location (Host: localhost) Important: End of request header is marked by double CRLF (). 32 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  33. 33. The Most Basic POST Request POST /go/dummy­4.2.2/index.php?id=1&no_cache=1 HTTP/1.1 Host: localhost Content­Type: application/x­www­form­urlencoded Content­Length: 70  user=henning&pass=ddd&submit=Login&logintype=login&pid=2 &redirect_url= Content-Length must exactly match the postvar string length. Alternative Content-Type „multipart/formdata“ is being ignored here. 33 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  34. 34. Further Common Request Fields ● User-Agent Caution: These values can ● Referer be freely defined by the “instance” that creates ● Cookie the HTTP request. User­Agent: Mozilla/5.0 (X11; U; Linux i686; de;  rv:1.9.0.3) Gecko/2008092510 Ubuntu/8.04 (hardy)  Firefox/3.0.3 Referer: http://localhost/go/dummy­4.2.2/index.php? id=1&no_cache=1 Cookie: fe_typo_user=4c29c2fc83285e658569921fa91cf46e;  be_typo_user=e83066ebd9a71f2f13e0c17990d3cc2e;  PHPSESSID=cb689e18617bdc9ec5cbd77dd8992451 34 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  35. 35. HTTP Tools for Firefox ● Extensions for monitoring requests – FireBug (output looks nice, but is often not complete) – LiveHTTPHeaders (output looks not very nice, but Is reliable) ● For other browsers: – MSIE: HTTPWatch – Safari/Webkit: Built-in Web Inspector 35 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  36. 36. Hand Crafting a HTTP Request Using Ancient Technologies ● Why using telnet? – Easy way to communicate via TCP – Available on every platform – Plain text usage – Can't get any simpler ● Alternative on Windows: PuTTy 36 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  37. 37. Examples Demo 37 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  38. 38. DIY Phase ● The USB stick data contains a PDF with short instructions. ● Alternatives: – Analyse the source code of extension ftpbrowser ● Learn about register_globals if you are not familiar ● Find the PHP include script which contains the security holes – Craft HTTP requests yourself using telnet (or PuTTY) ● Task 1: Install LiveHTTPHeaders and use it to copy request data. ● Task 2: Create a simple valid GET request (no “Bad request” response) ● Task 3: Create a simple valid POST request 38 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  39. 39. On Windows: Use PuTTy ● Putty.exe is on the USB stick, just start it ● Download: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 39 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  40. 40. Grab a Coffee! We will continue with the tutorial at 11:45. 40 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  41. 41. What Did We Learn? ● HTTP server has no way to enforce specific user agent. ● No way to hide sensitive data by GET or POST (besides HTTPS). ● There is no intimacy between the web browser and the web server. Nothing we can't to ourselves. 41 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  42. 42. Impact of Unsanitized User Input What is user input? Now we know: Nearly the complete HTTP request can be seen as user input 42 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  43. 43. PHP Superglobals ● $_GET ● $_POST ● $_REQUEST (configurable mixture) ● $_FILE ● $_COOKIE ● $_SERVER 43 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  44. 44. The Evolution of Superglobals Extension tslib_pibase::piVars (selection with prefix) t3lib_div::getIndpEnv() TYPO3 Core t3lib_div::_POST() t3lib_div::_GET() t3lib_div::GP() PHP $_POST $_GET $_REQUEST $_SERVER All values on t3-level are unescaped! No matter how the PHP setting magic_quotes is configured. We have to validate and escape them. 44 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  45. 45. Methods of Validation ● Cut out line breaks (where not acceptable) ● String length checks (too long?) ● Type checks (intval()) ● Regex based checks ● htmlspecialchars() ● mysqlrealescapestring() / fullQuoteStr() ● Checks agains lists (whitelist/blacklist) ● Check array's for unexpected cuckoo's eggs (values + Keys - in case of dynamic key generation) 45 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  46. 46. Sanitization on TYPOSCRIPT Level ● Sanitization of user supplied content – when rendered into HTML page via getText – when used in SQL queries using CONTENT object ● stdWrap offers – htmlSpecialChars – intval – removeBadHTML 46 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  47. 47. Vulnerability Types ...that are created by unsanitized user input 47 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  48. 48. SQL Injections ● Prerequisite: Unsanitized user input is used inside of an SQL query string ● Sanitization methods: – mysqlrealescapestring() for strings – Intval() for integer values (commonly id's) – If possible, check if integer value is in an invalid range (for example negative integer values) ● Impact: “Single line catastrophe” 48 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  49. 49. Code Execution / Remote or Local File Execution ● Prerequisite: Unsanitized user input is used – inside of an exec() or an eval() statement or similar. – Inside of an include() or require() statement. ● Sanitization methods: – Don't do this: I can't imagine a situation where this has to be done. – White lists of allowed commands ● Impact: “Single line catastrophe” 49 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  50. 50. Path Traversal (“../../../”) ● Prerequisite: Unsanitized user input is used to create the path to a file in the file system. ● Sanitization methods: Check path. ● Impact: Access to arbitrary files and file content 50 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  51. 51. Cross Site Scripting (XSS) ● Prerequisite: Unsanitized user input is inserted into the HTML page ● Sanitization methods: – htmlspecialchars() – RemoveXSS (introduced to core with TYPO3 4.2) – BBCode – If possible, check if integer value is in an invalid range (for example negative integer values) ● Impact: Cookie theft / Session hijacking possible, other dangerous stuff 51 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  52. 52. Open Redirects ● Prerequisite: Unsanitized user input of type “URI” is used inside of a generated HTTP response header. ● Example: header('Location: ' . $uri); or a similar way of redirection (meta tag) ● Sanitization methods: – Check URI against user definable white list ● Impact: Inexperienced user can be “hijacked” to a different web site. 52 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  53. 53. CRLF Injection ● Prerequisite: Unsanitized user input is used to generate a dynamic HTTP response header. ● Sanitization methods: – Check values against user definable white list – Prevent double Linefeeds (Newer PHP versions do that already in function header()) ● Impact: Various. Forcing user actions that the user is not aware of. 53 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  54. 54. Check Reliability of Sanitization Methods by Tests How? Let's discuss. Visit the tutorial of Oliver Klee to learn more about unit testing. 54 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  55. 55. Security Incident Handling ● Contact us: security@typo3.org ● Case 1: You have found an issue in your own extension. ● Case 2: You have found an issue in somebody elses extension. ● TYPO3 Security Team policy 55 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08
  56. 56. Thank You! 56 Developing extensions with security in mind Henning Pingel, October 09, 2008, T3CON08

×