Project

General

Profile

Actions
Copy link

Bug #14276

closed

Commands with redirect blocked by server security

Added by old_facorreia about 20 years ago. Updated about 20 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2004-08-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Some servers have a hacking protection that prevents the value http:// being used in script parameters.

Using the HIDE, UNHIDE or PASTE INTO commands of the popup context menu in the backend page tree causes a redirect with the value http:// in the script parameters.

The server blocks this behavior for security reasons.

Steps to reproduce:

1. Install the quickstart in a Linux server configured to block http:// in script parameters.
2. Enter the backend.
3. Click on the Page command.
4. Click on the icon of one of the pages.
5. In the popup context menu, select the command Hide.

Effect: Error 500 in a URL like this:
/quickstart-3.6.2/typo3/tce_db.php?redirect=http%3A%2F%2Fwww.correiabr.net%2Fquickstart-3.6.2%2Ftypo3%2Falt_mod_frameset.php%3FfW%3D0%26nav%3Dmod%252Fweb%252F..%252F..%252Falt_db_navframe.php%26script%3Dsysext%252Fcms%252Flayout%252Fdb_layout.php%26id%3D&data[pages]7[hidden]=1&prErr=1&vC=573798c6e7

Cause: The redirect has the value "http://www.correiabr.net/..." that is blocked in the server to prevent hacking.
(issue imported from #M296)

Actions
Copy link
 #1

Updated by old_facorreia about 20 years ago

Please close this bug note.

I found out this security measure was just local to one server.

It is intended to prevent a security problem in PHP Nuke and other PHP scripts that use include($file) carelessly.

Actions
Copy link

Also available in: Atom PDF