[TYPO3-dev] Info disclosure from extension folders

christian reiter cr at n-o-s-p-a-m-cxd.de
Wed Oct 25 17:53:44 CEST 2006 

Hello,

Looking at some logfiles I have found that TYPO3 is getting more and more
into the focus of automated reconnaissance by potential attackers.

This means, some sites are regularly visited by robots that check for the
presence of a number of widespread apps and try to find hints for known
security issues in them. The burst of visits by one IP looking for files
belonging to  php2BB, Awstats, PhpMyAdmin, Mambo, Horde, Wordpress, TYPO3 ,
and about 2 dozen other popular applications makes the intent clear.

I have found that it may be good to restrict the delivery of some extension
information.

For instance if you go to
http://www.typo3.org/typo3/sysext/indexed_search/ChangeLog you will find
that the current version with the last bugfix is there (2006-09-11). For
comparison I checked this file on the server of a major international
business machine producer who has a TYPO3 website and also uses
indexedsearch.. There the Changelog shows 2005-05-15. Another corporate
webiste had 2004-04-26. As an attacker I could now try to find out which
vulnerabilites exist in these old versions and attack them.

Of course the vulnerabilities of the old extensions would still be there if
these files were not accessible, however the automated collection of
vulnerable installations by script kiddies wouldn´t be so easy.

Therefore it is perhaps  a good idea  to configure Apache so  that it does
not deliver this information.

Just forbidding access to all typo3conf/ext is of course not the solution:)
However there is no reason why it should be possible to display the
ext_tables.sql, the changelogs etc in the browser. When people make
extensions themselves of course it also possible to find out some
information by identifiying the extension name from the comments in the HTML
source of a page where a plugin is located and then looking at the
ext_tables.sql, wizard_form.html... etc.  - all of this information should
really be private.

This is maybe a bit paranoid but looking at logfiles always makes you
paranoid :)

Greetings,

Christian Reiter

More information about the TYPO3-dev mailing list