TYPO3 Core

IRM has discovered an information leakage in Typo3 content manager that allows remote users to disclose the file system path of the application when requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details

The issue is due to the application failing to properly determine its own physical path and therefore trying to 'require()' a wrong class file. ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

From PHP manual:
You can define a constant by using the define()-function. Once a constant is defined, it can never be changed or undefined

The vulnerable files listed above fail to include init.php and the 'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib', PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values and any 'require()' function using these constants will not work and will disclose the file system path.

(issue imported from #M2248)