[TYPO3-ttnews] Extra characters in URL ?L=/../..
Lily Wong
lily.wong at utoronto.ca
Fri Feb 18 18:19:47 CET 2011
Hi Georg,
You're right - it was indeed an error with the language setting. I
looked in the database and for that particular record and the language
parameter was somehow set to: sys_language_uid = -1. That parameter
should be either 0 (default language) or 4 (secondary language).
Thank you for your help!
Best,
Lily
--
lily.wong at utoronto.ca
On Wed, Feb 16, 2011 at 1:47 PM, Georg Ringer <typo3 at ringerge.org> wrote:
> Hi,
>
> Am 16.02.2011 18:33, schrieb Lily Wong:
>>
>>
>> http://www.mysite.com/video/?L=/../../../../../../../../../etc/passwd\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\0
>
> usually it is correct to ask the security team but this is no security issue
> but a misconfiguration.
>
> Set something like config.linkVars = L(int)
> or = L(1-3)
>
> otherwise any parameter is cached
>
> Georg
More information about the TYPO3-project-tt-news
mailing list