CVE-2022-44543: Bypassing User Group Restrictions in TYPO3's femanager Extension
The CVE-2022-44543 vulnerability was discovered in the femanager extension for TYPO3, before versions 5.5.2, 6.3.3, and 7..1. The issue allows attackers to create frontend users in restricted user groups by exploiting a protection mechanism called "usergroup.inList." This article will provide insight into the exploit's details, along with code snippets and original references to understand the vulnerability in-depth.
Description of the Vulnerability
TYPO3's femanager extension is a popular tool for managing frontend user registration and profile management. One key feature of femanager is its ability to manage users in various groups, making it possible to implement access control on different levels. However, the vulnerable versions mentioned above contain a flaw in the usergroup.inList protection mechanism that allows for the creation of frontend users in restricted groups when there is a user group field present on the registration form.
Upon registration, femanager uses a check involving the usergroup.inList mechanism, whose purpose is to verify if a user group is allowed to be selected by the person registering. Unfortunately, the mishandling of this mechanism allows attackers to bypass this safety check during registration and directly assign themselves to restricted groups.
Exploit Details
By inspecting the source code of the vulnerable versions, it's possible to understand how the usergroup.inList protection mechanism is mishandled – specifically concentrating on the "createAction" method in the below file:
Classes/Controller/RegistrationController.php
Relevant Code Snippet
$this->userGroupRepository->findByUids($this->request->getArgument('usergroup'));
Above, the findByUids method receives an argument directly from the request, utilizing the 'usergroup' parameter. Instead of filtering this parameter using the usergroup.inList mechanism, the application fetches the corresponding user groups directly from the database. Consequently, an attacker could create registration requests using crafted 'usergroup' parameters to insert themselves in any group, effectively bypassing the restriction.
Mitigation
To resolve this vulnerability, the TYPO3 femanager extension must be updated to versions: 5.5.2, 6.3.3, or 7..1, depending on the major version in use. The TYPO3 team has addressed the issue by enhancing the usergroup.inList protection mechanism, ensuring that unauthorized group assignments during registration are no longer possible.
Original References
This vulnerability, CVE-2022-44543, was first discovered and reported by Simon Köhler. Official advisories, details, and patch information can be found in the following resources:
1. TYPO3 femanager security advisory
2. GitHub commit to fix the vulnerability
3. CVE-2022-44543 in the NIST National Vulnerability Database
Conclusion
In summary, the CVE-2022-44543 vulnerability allows attackers to bypass the usergroup.inList protection mechanism in the femanager extension for TYPO3, leading potentially to unauthorized access or privileges on affected systems. Ensuring TYPO3 installations are running with up-to-date femanager versions (5.5.2, 6.3.3, or 7..1), as well as thoroughly testing and understanding the security implications of any extensions within the TYPO3 environment, are essential steps towards safeguarding against this and other vulnerabilities.
Timeline
Published on: 12/12/2023 17:15:07 UTC
Last modified on: 12/14/2023 20:42:42 UTC