Project

General

Profile

Actions

Bug #14846

closed

Some environment variables are world readable by default

Added by Steffen Müller over 19 years ago. Updated over 18 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2005-06-30
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.7.0
PHP Version:
4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The debug script in
./typo3_src/misc/phpcheck/
displays environment variables, including phpinfo(). As this provides system information which can be retrieved by any remote user, we should regard this as an information leak which should be closed by default. Christian Lerrahn discovered and reported this issue to the security-list.
A die() function as in the install script was introduces by Jochen Weiland as a possible solution against permanent unauthorized access. The next step could be to integrate this script into the install tool.
A patch to insert the die() function is attached.

Browse to: http://www.targetdomain.com/typo3_src/misc/phpcheck/

This issue affects most versions of typo3, the patch is made with 3.7.0
(issue imported from #M1250)


Files

incfile.php.patch (601 Bytes) incfile.php.patch Administrator Admin, 2005-06-30 20:42
Actions

Also available in: Atom PDF