CVE-2022-24980
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks against TYPO3 installations using vulnerable versions of the Kitodo.Presentation extension. Attackers can submit arbitrary URLs to a vulnerable eID script, potentially accessing internal files or webpages that the webserver can reach. All TYPO3 sites using affected versions of the Kitodo.Presentation extension are at risk.
💻 Affected Systems
- TYPO3 with Kitodo.Presentation (dif) extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal files (configuration files, credentials), interact with internal services, or pivot to internal network resources, potentially leading to data breaches or further compromise.
Likely Case
Attackers will scan for vulnerable instances and use SSRF to read local files, potentially exposing configuration data or accessing internal web applications.
If Mitigated
With proper network segmentation and web server restrictions, impact is limited to files accessible by the web server user within its allowed directories.
🎯 Exploit Status
The vulnerability is in an eID script that doesn't require authentication, making exploitation straightforward. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kitodo.Presentation 2.3.2, 3.2.3, or 3.3.4
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2022-001
Restart Required: No
Instructions:
1. Update the Kitodo.Presentation extension to version 2.3.2, 3.2.3, or 3.3.4 depending on your major version. 2. Clear TYPO3 caches. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable vulnerable eID script
allRemove or restrict access to the vulnerable eID script that handles the SSRF vulnerability.
# Locate and disable the vulnerable eID script in your TYPO3 installation
# Typically found in: typo3conf/ext/kitodo_presentation/Classes/Eid/
Web server URL restrictions
allConfigure web server (Apache/Nginx) to block requests to the vulnerable eID endpoint.
# Apache: Use mod_rewrite to block requests to the vulnerable endpoint
# Nginx: Use location block to deny access to the vulnerable script
🧯 If You Can't Patch
- Implement strict outbound firewall rules to limit the web server's ability to make requests to internal resources.
- Remove or disable the Kitodo.Presentation extension entirely if not required.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of the Kitodo.Presentation extension in TYPO3 Extension Manager or by examining the extension's ext_emconf.php file.Check Version:
# Check extension version in TYPO3 backend under Admin Tools > Extensions > Kitodo.PresentationVerify Fix Applied:
Verify the extension version is 2.3.2, 3.2.3, or 3.3.4 or higher in TYPO3 Extension Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to eID endpoints, especially with external URLs as parameters
- Web server errors related to failed external requests
- Increased outbound HTTP requests from web server
Network Indicators:
- Outbound HTTP requests from web server to internal IP addresses or unusual domains
- Requests to file:// URLs or localhost from web application
SIEM Query:
web_access_logs WHERE uri CONTAINS 'eID' AND (uri CONTAINS 'http://' OR uri CONTAINS 'https://' OR uri CONTAINS 'file://')