Executive Summary

This vulnerability is an XML External Entity (XXE) injection issue in the OOXML file indexer of the TYPO3 extension "Faceted Search" (ke_search). The file indexer does not disable external entity resolution when parsing OOXML files such as xlsx or pptx. An attacker can craft a malicious xlsx or pptx document and place it in an indexed directory. When the indexer processes this file, it can cause local files to be read or trigger outbound HTTP requests. The content retrieved from these actions is then written into the search index.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows crafted OOXML files to cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. This can lead to unauthorized disclosure of sensitive or personal data stored on the server.

Such unauthorized data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access and disclosure.

Therefore, if exploited, this vulnerability could result in violations of these standards due to potential leakage of protected data through the search index.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of local files on the server where the TYPO3 extension is installed. Additionally, it can cause the system to make outbound HTTP requests, potentially leaking sensitive information or enabling further attacks. The retrieved content from these actions is stored in the search index, which could expose sensitive data to users with access to the index. This can compromise the confidentiality and integrity of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the OOXML file indexer processing crafted xlsx or pptx files placed in indexed directories, which can lead to local file reads or outbound HTTP requests. Detection involves monitoring for suspicious files in indexed directories and unusual outbound HTTP requests originating from the indexing process.

You can check for the presence of potentially malicious xlsx or pptx files in directories monitored by the TYPO3 Faceted Search extension. Additionally, monitoring network traffic for unexpected HTTP requests from the server may help detect exploitation attempts.

Specific commands might include:

• Listing suspicious files in indexed directories: `find /path/to/indexed/directory -type f \( -name '*.xlsx' -o -name '*.pptx' \)`
• Monitoring outbound HTTP requests from the server (example using tcpdump): `tcpdump -i eth0 -nn host <server_ip> and tcp port 80 or 443`
• Checking TYPO3 logs or search index logs for unexpected content or errors related to file indexing.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the TYPO3 Faceted Search extension to a fixed version. Versions 7.0.1, 6.6.1, and 5.6.2 or later contain fixes for this vulnerability.

Users should update the extension immediately via the TYPO3 extension manager, Packagist, or the official extension download page.

Additionally, follow the TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for future updates and advisories.

Restrict backend user permissions to prevent unauthorized configuration changes to the indexers, as some vulnerabilities allow backend users with indexer configuration permissions to copy sensitive data.

Useful 0 Not Useful 0