search

whoot / Typo3Scan

Enumerate Typo3 version and extensions
GNU General Public License v2.0
169 stars 32 forks source link

False positive extension vulnerability gridelements #30

Closed exploide closed 1 year ago

exploide commented 1 year ago

Describe the bug

typo3scan reported a vulnerability for the gridelements extension.

  [+] gridelements
   ├ Extension Title:       Grid Elements
   ├ Extension Repo:        https://extensions.typo3.org/extension/gridelements
   ├ Extension Url:         https://www.example.com/typo3conf/ext/gridelements
   ├ Current Version:       10.4.3 (stable)
   ├ Identified Version:    7.0.5
   ├ Version File:          https://www.example.com/typo3conf/ext/gridelements/ChangeLog
   └ Known Vulnerabilities:

     [!] TYPO3-EXT-SA-2022-009
      ├ Vulnerability Type: Cross-Site Scripting
      ├ Affected Versions:  7.6.1 - 0.0.0
      └ Advisory Url:       https://typo3.org/security/advisory/typo3-ext-sa-2022-009

This is a false positive. The problem is, the version is inferred from the changelog file, but this hasn't been kept up to date for a while. That means the identified version and hence the detected vulnerability is incorrect.

See extension's repository at https://gitlab.com/coderscare/gridelements where the ChangeLog file has been modified three years ago. Instead, it just begins with the line "See https://gitlab.com/coderscare/gridelements/commits/9-0 for a list of commits".

This is of course not helpful and I think it would be best if they don't keep the changelog file if it isn't used properly. But it is how it is.

On the other side, I understand that this can be a nightmare to parse for typo3scan. Just wanted to let you know about the false positive. Maybe you have a good idea about how to cope with this.

whoot commented 1 year ago

Thanks for sharing, but as you already said and as already mentioned/discussed in #28: version detection for extensions is a nightmare, because developers do what they want.

Unfortunately, I dont have any idea how this could be fixed. Maybe I will put a warning somewhere that the version detection for extensions is unreliable.

whoot commented 1 year ago

Version 1.1.3 adds a warning. I also added a section in the readme.

exploide commented 1 year ago

Thanks. As I also don't see a better way forward for now, I'll close this issue.