[TYPO3-core] RFC: Path disclosure vulnerability fix (#2248)
Ingmar Schlecht
ingmar at typo3.org
Sat Jan 14 12:31:22 CET 2006
Fixed in CVS.
cheers,
Ingmar
Ingmar Schlecht schrieb:
> Hi guys,
>
> This is a CVS patch request.
>
> Type: security fix
>
> Branch: TYPO3-4.0
>
> Description:
> When you call certain scripts from different locations than normal, they
> disclose the full system path of TYPO3 to you.
>
> Example: http://typo3.org/typo3/t3lib/thumbs.php
>
> This patch fixes the path disclosure in t3lib/config_default.php and
> also adds a check to showpic.php checking if the typo3conf directory
> exists. The same is also done in index_ts.php, so I think it should be
> in showpic.php, too.
>
> There are a lot more path disclosure vulnerabilities in TYPO3, but they
> only work if PHP error messages are configured to be output to the user
> - that's the server admin's fault, I'd say.
>
> BT Reference:
> http://bugs.typo3.org/view.php?id=2248
>
> cheers,
> Ingmar
More information about the TYPO3-team-core
mailing list