[Typo3-dev] TYPO3 backend "Directory Traversal Attack"
Dmitry Dulepov
typo3 at fm-world.ru
Wed Nov 2 12:59:48 CET 2005
Hi!
Kasper Skårhøj wrote:
> Benoit POUYET has made me aware of a security problem called "Directory
> Traversal Attack". The problem seems to be that allowing "../" in URLs could
> be considered an attack on server security. The advice is to turn of support
> for "../" in URLs. However, this completely paralyses the TYPO3 backend where
> icons, stylesheets etc. are all prefixed with the $BACK_PATH-variable which
> is typically configured with "../../../../" or the like.
Well, reminds me NIMDA worm that almost paralized Internet a couple of
years ago attacking MS IIS servers with exactly this type of attack.
../ itself is NOT a security risk, it is a risk only if server does not
handle it properly.
I see two practical ways:
- rely on proper server code and admins that understand what problems
can arise. Generally, chroot'ed Apache will help to avoid the worst scenario
- use ob_* + preg_* to replace all ../ with proper path segments. This
can be complicated in safe mode environments and should be well-tested
Dmitry.
More information about the TYPO3-dev
mailing list