Bug #81361
open
File dump in TYPO3 BE insecure because login status is not checked
0%
Description
Dear TYPO3 team,
we found a security issue in the Filelist module in TYPO3 BE in all TYPO3 versions from 6.2 to 7.x and 8.6:
You can create a File Storage with "Path type" set to "absolute" and "Base path" pointing to a secure directory outside of docroot, "Is publicly available?" left unchecked.
You can upload files in File list module, f.e. a csv file with sensitive data.
When you preview this file with with a click on the "Show" icon, a new browser tab opens with an URL like: "/index.php?eID=dumpFile&t=f&f=2&token=ea0aa41c84835250308254959470650ac4d66bbf", dumping your file contents.
The security issue is that you can also open this URL without being logged in as TYPO3 BE user without any authentication process.
That means, that a TYPO3 BE user could unsuspectingly preview this sensitive file f.e. with a Google Chrome browser which will potentially index this file just because the URL is entered into Chrome and suddenly it becomes publicly available.
Imagine, this could be personal data as credit card informations, account details etc.
The issue could be solved in two ways:
a) use a separate dump script for TYPO3 BE with authentication check
b) use a hook to add authentication if the exising dump script is called in TYPO3 BE.
I implemented an extension for variant b) and attached it. This will fix this issue as it checks if a BE-User is logged in and if he has access to the file storage and if the file storage is browsable and active before dumping the file.
Best regards,
Alexander
Files
Updated by 
Updated by 
Updated by