[Typo3-dev] TYPO3 backend "Directory Traversal Attack"

[Achim Eichhorn]

Hi,

here is a link to a page, which explains "Directory Traversal Attack":
http://www.acunetix.com/websitesecurity/directory-traversal.htm

So far as I can see the problem arises, when scripts use parameters
uncontrolled, perhaps a script export.php which lets a user download
a file from the webserver does not control the given Get/Post parameters.

http://phpmyadmin.example.com/export.php?what=../../../[existing_file]

This would allow an attacker to download any existing file from the 
webserver,
if only he knows (or guesses) the path and the name and if there are no
other restrictions like openbasedir or safemode activated.

If there is a general security risk to allow ../ pathes on the webserver,
then it must be forbidden on webserver level and filtered out there,
with the consequence, that typo3 has to be fixed in the described ways
of the last postings to this topic.
(scripts, icons,... have then to be addressed with absolute pathes)

But if it is "only" a problem on script level, then it is on the 
responsibility
of the script developers, to check their input for possible attacks.
Naturally the typo3 backend and frontend routines have to be checked,
if there are unsecure scripts, too. But it then wouldn't be necessary
to disable ../ in general. Maybe in future implementations there could 
be some
security helper functions for checking/filtering the G/P parameters.

But maybe I don't see the whole problem in the right way?
Are there any examples, where an attacker can use this "../" addressing
to "hack" the system, without any insecure programmed scripts?


Achim.


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.7/159 - Release Date: 02.11.2005