news.Resource

Archive:

News-Feeds:


RSS 2.0
RSS 0.91
RDF
ATOM 0.3
Sponsors
hosting by snowflake | PREMIUM OPEN SOURCE
25.07.05 12:08 Age: 7 yrs

Security Bulletin TYPO3-20050725-1

Category: Security, www.typo3.org

By: Karsten Dambekalns

Possible Information leak. The TYPO3 Security Team has issued another security bulletin which explains and fixes a possible problem with a debug script in TYPO3.

Version: 3.8.0 and earlier

Vulnerability Type: Information Disclosure

Severity: Low

Problem Description:

A debug script exposes system information provided by phpinfo(). The script can be executed by a remote user.

Solution:

Remove the script, apply a patch or restrict access to the directory.

  • Remove the directory typo3_src-3.x.x/misc/phpcheck
  • A patch to prevent execution of the script is available. In typo3_src-3.x.x/misc/phpcheck/incfile.php, it inserts a die() function on top of the code. You can find it on bugs.typo3.org/view.php
  • Use any of the favorite access restriction methods of your webserver. For example, in Apache, use mod_access or mod_auth directives.

Additional information:

This issue is fixed in the CVS version of the TYPO3 core and will be fixed in 3.8.1 as well.

References:

TYPO3 bugtracker, ID #1250 at bugs.typo3.org/view.php

Credits:

Thanks to Christian Lerrahn for pointing out this issue to us.

comments

No comments yet. Be the first to comment on this!

Add comment