[TYPO3-announce] TYPO3 Security Bulletin 20070612-1: Information disclosure in w4x_backup
Lars Houmark
lars at typo3.org
Tue Jun 12 13:21:11 CEST 2007
Dear users of TYPO3,
It has been discovered that the extension w4x_backup has several
security related issues, which may disclosure confidential information.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation
==== Vulnerability Type ====
Information disclosure
==== Affected Versions ====
Version 0.9.2 and all versions below
==== Severity ====
LOW
==== Problem Description ====
Within a Unix/Linux environment, the extension w4x_backup checks for
appropriate file permissions during a backup or a restore operation.
Problems are reported by creating a log file in HTML format. It can
contain a complete list of the files and file paths of a TYPO3 based web
site. The log file has a static name and path and is readable by the
public. It is also not deleted automatically, so it stays unchanged
until it is overwritten by a newer version.
The contents of the log file might expose the names of confidential
files that are not meant to be public and make them easily accessible
for attackers. In some situations the contents of the log file can also
expose the file name of the latest backup archive created by the
extension. The backup archive would then be easily downloadable for an
attacker (containing file contents and a sqldump).
==== Solution ====
An updated version is available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/view/w4x_backup/0.9.2/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook [1].
Credits: Credits go to security team member Henning Pingel who
discovered these issues and to Carlos Chiari who is the author and
fixed the issues.
You can view the entire bulletin at the below address:
http://typo3.org/teams/security/security-bulletins/typo3-20070612-1/
[1] http://typo3.org/fileadmin/security-team/
typo3_security_cookbook_v-0.5.pdf
Regards,
Lars Houmark
lars at typo3.org
More information about the TYPO3-announce
mailing list