[Typo3-announce] Security Bulletin TYPO3-20050725-1
Ekkehard Gümbel
guembel at naw.de
Wed Aug 10 11:50:43 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Bulletin TYPO3-20050725-1
http://typo3.org/teams/security/security-bulletins/typo3-20050725-1/
Component Type: Core
Affected Component: debug script
Version: 3.8.0 and earlier
Vulnerability Type: Information Disclosure
Severity: Low
Problem Description:
A debug script exposes system information provided by phpinfo(). The
script
can be executed by a remote user.
Solution:
Remove the script, apply a patch or restrict access to the directory.
- - Remove the directory typo3_src-3.x.x/misc/phpcheck
- - A patch to prevent execution of the script is available.
In typo3_src-3.x.x/misc/phpcheck/incfile.php, it inserts
a die() function on top of the code. You can find it on
http://bugs.typo3.org/view.php?id=1250
- - Use any of the favorite access restriction methods of
your webserver. For example, in Apache, use mod_access
or mod_auth directives.
Additional information:
This issue is fixed in the CVS version of the TYPO3 core and will be fixed
in 3.8.1 as well.
References:
TYPO3 bugtracker, ID #1250 at bugs.typo3.org/view.php
Credits:
Thanks to Christian Lerrahn for pointing out this issue to us.
Regards,
Ekkehard Guembel
TYPO3 Security Team
- -> This information comes with ABSOLUTELY NO WARRANTY.
- -> Visit http://typo3.org/teams/security/security-bulletins
-----BEGIN PGP SIGNATURE-----
iQA/AwUBQvm/nracx8F96kPgEQJpfgCgmPpxI3tj2PBf16i3L5+q0dPHvsIAoMci
D0pm5c87WrgNIKWZ/cej23Gz
=VSmp
-----END PGP SIGNATURE-----
More information about the TYPO3-announce
mailing list