Project

General

Profile

Actions

Bug #15402

closed

Security Vulnerability: Information Leakage - the full filesystem path is disclosed when certain files are requeted

Added by old_apdavis about 18 years ago. Updated over 17 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2006-01-13
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
3.7.1
PHP Version:
4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

IRM has discovered an information leakage in Typo3 content manager that allows remote users to disclose the file system path of the application when requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details

The issue is due to the application failing to properly determine its own physical path and therefore trying to 'require()' a wrong class file. ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

From PHP manual:
You can define a constant by using the define()-function. Once a constant is defined, it can never be changed or undefined

The vulnerable files listed above fail to include init.php and the 'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib', PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values and any 'require()' function using these constants will not work and will disclose the file system path.

(issue imported from #M2248)


Files

path_disclosure_fix.patch (1.81 KB) path_disclosure_fix.patch Administrator Admin, 2006-01-14 03:10
Actions #1

Updated by Ingmar Schlecht about 18 years ago

Fixed some time ago in CVS.

Actions

Also available in: Atom PDF