Bug #15402

Security Vulnerability: Information Leakage - the full filesystem path is disclosed when certain files are requeted

Added by old_apdavis over 10 years ago. Updated almost 10 years ago.

Status:Closed Start date:2006-01-13
Priority:Should have Due date:
Assigned To:Ingmar Schlecht % Done:

0%

Category:- Spent time: -
Target version:-
TYPO3 Version:3.7.1 Complexity:
PHP Version:4 Is Regression:
Tags: Sprint Focus:

Description

IRM has discovered an information leakage in Typo3 content manager that allows remote users to disclose the file system path of the application when requesting certain files.

The following files were found to disclose the application path:

http://hostname/typo3/t3lib/thumbs.php
http://hostname/tslib/showpic.php
http://hostname/t3lib/stddb/tables.php

Technical details

The issue is due to the application failing to properly determine its own physical path and therefore trying to 'require()' a wrong class file. ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

From PHP manual:
You can define a constant by using the define()-function. Once a constant is defined, it can never be changed or undefined

The vulnerable files listed above fail to include init.php and the 'PATH_thisScript' variable is locally calculated:

define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));

define('PATH_site', ereg_replace('[^/]*.[^/]*$','',PATH_thisScript));

define('PATH_t3lib', PATH_site.'t3lib/'); define('PATH_tslib', PATH_site.'tslib/');

At this point, constants 'PATH_t3lib' and 'PATH_tslib' contain wrong values and any 'require()' function using these constants will not work and will disclose the file system path.

(issue imported from #M2248)

path_disclosure_fix.patch Magnifier (1.8 kB) Administrator Admin, 2006-01-14 03:10

History

#1 Updated by Ingmar Schlecht over 10 years ago

Fixed some time ago in CVS.

Also available in: Atom PDF