This project is using TYPO3 v9.5.8 with a couple of unfixed/reverted security fixes. It is supposed to be insecure and serves as foundation for showing potential attack vectors against TYPO3.
- Install Tool access via Cross-Site Scripting & Cookie not using HTTP-only flag
- Remote controlling clients via Cross-Site Scripting & BeEF
- Retrieve
encryptionKeyin order to create signatures ("signed attacks") & create new admin user via Insecure Deserialization and injected TypoScript - Classic SQL Injection via Stupid TypoScript
The mentioned hacks were demonstrated during TYPO3camp Mitteldeutschland, Dresden, DE in January 2019 - spoken language is unfortunately German, Slides are in English.
https://www.youtube.com/watch?v=lefgKJSWqx0&feature=youtu.be&t=10800
- having Docker and DDEV installed
- clone git repository
- execute ddev start
- execute ddev composer install
- import database using ddev import-db --src ./ddev/database.sql.gz
- web project is provided at http://typo3v9-hack.ddev.site/
- admin/password
- user/password
Hook to be used as XSS attack vector (to be injected in target application):
http://typo3v9-hack.ddev.site:3000/hook.js
Admin and Control interface:
http://typo3v9-hack.ddev.site:3000/ui/panel
- username: admin
- password: joh316
- https://beefproject.com/
- https://typo3.org/help/security-advisories/
- https://typo3.org/cms/roadmap/maintenance-releases/
In case of finding additional security issues in the TYPO3 project please get in touch with the TYPO3 Security Team at [email protected]. Please do not disclose issues in the public without according coordination.