TYPO3 Core

I was not able to reproduce the behavior (HTTP 403 errors on URLs containing %3f, which is e.g. the case for the returnUrl parameter) with an Apache 2.4.61 local environment, using mod_fcgid.

Can you please provide details about the web hosting environment?
Are there any custom modifications to the .htaccess rules?

For the records...¶

Based on our analysis of a web server environment under Apache 2.4.61, the operation of TYPO3 with regard to CVE-2024-38474 (https://www.cve.org/CVERecord?id=CVE-2024-38474) is not affected. The htaccess configuration provided by TYPO3 by default is not blocked by Apache, and the use of the new UnsafeAllow3F flag also appears unnecessary.

Thanks for the feedback. Good to hear that it's not a general problem that could potentially affect other web hosting providers.

Unfortunately, I don't currently have STRATO web hosting myself, from which I could provide further insights. I just linked the topic that was discussed in the TYPO3 Community Hub, in the Contao Forum and on Slack and recorded it here to reach the core team.

If this is not a general problem, it will certainly be possible to close this "issue".

Thanks for your feedback!

After clarifying this via Slack directly, it turned out that

• the original error message was copy-pasted from https://community.contao.org/de/showthread.php?87114-Fehler-403-Forbidden-durch-Cookiebar-AH10508-Unsafe-URL-with-3f-URL-rewritten&p=586304&viewfull=1#post586304
• other references stemmed from another forum thread at https://forum.t3academy.de/d/507-strato-create-content-forbidden-error-403-cve-2024-38474-unsafeallow3f/48

Concerning Strato (https://www.strato.de/)¶

We (the TYPO3 Security Team) contacted the Strato Security Team today, asking for a clarification about their procedures (arbitrarily blocking any URL that contains %3f) and their misleading statements about "using insecure methods in Typo3" - which is of not the case.

We were able to reproduce the behavior on websites that are definitively not build with TYPO3 - the pure existence of %3f in the request URI was enough to get denied.

→ example https://filmscanner.info/%3f (resolves to 81.169.145.64, w00.rzone.de)

since the report was only for v13: Has this also been tested by the security team with v12.4, or only v13? Or is a test with v12 not necessary since nothing changed in the backend logic of v13 in this regard?

And thanks for looking into it, much appreciated.

To my knowledge Strato silently fixed the problem yesterday. The 404 error is gone.