[TYPO3-core] RFC: Path disclosure vulnerability fix (#2248)
Ingmar Schlecht
ingmar at typo3.org
Sat Jan 14 03:07:26 CET 2006
Hi guys,
This is a CVS patch request.
Type: security fix
Branch: TYPO3-4.0
Description:
When you call certain scripts from different locations than normal, they
disclose the full system path of TYPO3 to you.
Example: http://typo3.org/typo3/t3lib/thumbs.php
This patch fixes the path disclosure in t3lib/config_default.php and
also adds a check to showpic.php checking if the typo3conf directory
exists. The same is also done in index_ts.php, so I think it should be
in showpic.php, too.
There are a lot more path disclosure vulnerabilities in TYPO3, but they
only work if PHP error messages are configured to be output to the user
- that's the server admin's fault, I'd say.
BT Reference:
http://bugs.typo3.org/view.php?id=2248
cheers,
Ingmar
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: path_disclosure_fix.patch
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20060114/131a6baf/attachment.pot
More information about the TYPO3-team-core
mailing list