[Typo3-dev] TYPO3 backend "Directory Traversal Attack"
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Wed Nov 2 12:46:38 CET 2005
Kasper Skårhøj schrieb:
> Hi Developers.
>
> Benoit POUYET has made me aware of a security problem called "Directory
> Traversal Attack". The problem seems to be that allowing "../" in URLs could
> be considered an attack on server security. The advice is to turn of support
> for "../" in URLs. However, this completely paralyses the TYPO3 backend where
> icons, stylesheets etc. are all prefixed with the $BACK_PATH-variable which
> is typically configured with "../../../../" or the like.
>
> Benoit says that more and more security concerned scenarios might shut down
> this functionality and so we should be concerned with how to address it in
> TYPO3. Does any of you know about this issue and have suggestions for its
> solution?
One customer had set up thier fireall so that all URLS with ../ were
forbidden. It turned out "all right" because they were willing to change
this policy, but that might not always be the case.
Masi
More information about the TYPO3-dev
mailing list