Use TYPO3 Phar Stream Wrapper Package to Secure Any PHP Project
Thanks to Tymoteusz Motylewski from Macopedia for sharing this story with us.
Collaboration, community based learning and sharing genuinely boost motivation, are a main cause of progress and bring forth collective innovation that in turn testifies the ideals of open source software like TYPO3. Let’s take a look at a recent example in the PHP ecosystem that demonstrates just how beneficial this approach can be in the larger scheme of things.
Late this summer, a serious security issue that affected many PHP applications was widely reported in the press, e.g. The Hacker News, SC Media and The Register. The vulnerability had the potential to disrupt web applications written in PHP for malicious purposes.
The programming language PHP comes with many built-in wrappers for various URL styled protocols for use within the filesystem functions. Phar is one of these package formats. It lets you bundle code files and has been enabled by default since PHP 5.3.0. The disclosed vulnerability made it possible to take advantage of the way that PHP handles these self-extracting Phar files (formerly known as "PHP archives"). For TYPO3 it meant that Phar files could be invoked by manipulated URLs in backend forms.
Sam Thomas is a skilled security researcher who works for Secarma, UK. He first got in touch with TYPO3 to report the security flaw in June 2018. He provided an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. We’re grateful that he followed best practices of responsible disclosure und gave us reasonable time to deal with the matter before he publicly disclosed details.
In August 2018 he then presented the vulnerability at the leading information security event Black Hat USA 2018, where he demonstrated how to trigger the flaws to hack a site built with PHP using an author account and then take full control over the underlying web server. The exploit was a severe new attack technique that leveraged “critical deserialization vulnerabilities in PHP.” The news spread fast that this “new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and TYPO3.”
Discovering security flaws has little value if you don’t also report them to users. Timely reporting directly to those concerned in advance (responsible disclosure) as well as to the public (full disclosure) at an appropriate juncture reinforces trust. The cybersecurity experts at Secarma provided both: direct information to TYPO3 and a public online report about the exploit later on.
While there are good reasons for publishing information about security vulnerabilities, it can expose systems to exploits from opportunistic attackers. How to proceed?
With the prospect of the exploit being publicly known, swift action was required by developers who build and use any PHP driven software. TYPO3 did just that. We were informed about the vulnerability in June 2018. By the middle of July TYPO3 had:
fixed the security issue for the TYPO3 project
published details in the official TYPO3 security advisory and
released new stable versions of all current major TYPO3 LTS versions.
The vulnerability was solved by first denying the direct attack vector and then limiting the invocation of Phar files to those that are located in TYPO3 extensions (path typo3conf/ext/*) by using a custom PHP stream wrapper. The PharStreamWrapper intercepts invocations of the phar:// stream in PHP that only allows usage for defined locations in the file system.
For TYPO3 users this means: To stay on the safe side update your installation to any version above TYPO3 v7.6.30, v8.7.17 or v9.3.1 as recommended in the security advisory. Extended support is available for TYPO3 v6 LTS.
All’s good that ends good? Not quite. TYPO3 took this a huge step further.
Other open source technologies are faced with the same concern with regard to this vulnerability. To help other defenders improve their security we decided to publish our solution as a stand-alone package for the PHP community.
We have extracted the PharStreamWrapper from the TYPO3 core and prepared a Composer package which includes everything you need to secure any PHP driven project against the vulnerability, regardless of the technology you use, the framework your product it is written in and the libraries and modules you use.
The stand-alone “phar stream wrapper” package is available for free download on GitHub and Packagist:
To avoid licensing issues and incompatibilities the phar stream wrapper package has been published under the MIT License and anyone can use it. If you duplicate or modify the source code credits are not required (but much appreciated!). The package is compatible with PHP v7 and PHP v5.3. For more details read last Thursday’s Press Service Announcement on TYPO3.org.
Kudos to Martin Auswöger (member of the Contao Security Team) for reporting further details on the vulnerability and providing corresponding security fixes. And a special thank you also goes to Alex Pott for creating back ports of all sources to provide compatibility with PHP v5.3. Also, thanks to Inge Bateman for her attention to detail and valuable input in writing this article.
The TYPO3 community holds a strong “inspire people to share” ethos, which helps us link to our values and goals. We believe in sharing knowledge, empowering one another and building awesome products together - be it within the TYPO3 project or with other open source ones. TYPO3 is part of the bigger PHP community and like all communities, it’s a constant game of give and take.
Rallying with fellow open source players is important to us. Together we have the unique opportunity to combine resources to grow the size of the market and open source CMS adoption. Across the globe, tens of thousands of developers and businesses already collaborate to build and improve shared open source technologies.
In the context of open source, the idea of secrecy and hoarding makes me uncomfortable. If you’re serious about open source and producing high-end value, it probably makes you uncomfortable too.
In June, we were informed of a potential PHP security issue through responsible disclosure, With the prospect of the exploit being publicly known, swift action was required. Within weeks, TYPO3 had a solution in place to keep the project safe: the PharStreamWrapper. Sam Thomas then demonstrated the vulnerability at the annual Black Hat security event in August (full disclosure).
TYPO3 decided to take this a big step further and prepared a separate Composer package: The security solution was extracted from the TYPO3 core and is now available as a stand-alone package for other open source developers to download (for free) and to use for keeping any PHP driven project safe.
Together we are stronger!
October 23rd, 2018
I remember having had a problem with the TYPO3-stream-wrapper (at an early stage) and back then I thought it might be superfluous. This article is great as it explains the need and the work Oliver Hader and the team did. Being able to now implement the solution even in non-TYPO3-projects - I'm excited about the information and offered solutions.