Feature #17710
closed
config.baseURL is too constricting
0%
Description
In bug 0001670 it was demonstrated that config.baseURL = 1 was an insecure setting as it allows for an injection of an arbitrary <base> tag via the HTTP-HOST variable. However, this is only applicable in a scenario where a web server is configured to deliver any host addressed to the same typo installation (i.e., regardless of the client's Host: site.com in HTTP request, input will be directed to a typo3 site.
In my setup, I am running apache with the VirtualDocumentRoot setting in order to host multiple typo3 sites. As typo3 may only be visited at explicit vhosts (which are specified via the Host: header bit), this exploit will not work against sites running in this manner. Therefore, the ability to have a default template that performed a config.baseURL=1-like-function (perhaps config.baseURL=HTTP_HOST so it is more obvious) would be advantageous, and also not dangerous due to the host checking that would occur within the webserver itself. Obviously you have to way this against the possibility that someone is lazy and allows themselves to be exploited, but some sort of appropriate enabling piece of typoscript could hopefully remedy this.
(issue imported from #M6564)
Updated by Tom about 17 years ago
In addition, with this setup, it would be easy to allow typo3 to be referenced by other URLs by simply creating a symlink to the typo3 installation within a virtual document root. With the default, the template would have to be modified for each extra address by which the instance would be visited.
Updated by Martin Kutschker about 17 years ago
This can be done with conditions (see http://typo3.org/documentation/document-library/references/doc_core_tsref/4.1.0/view/4/1/). You need a condition for every allowed domain.