Project

General

Profile

Actions

Bug #23675

closed

It is (still) possible to download arbitrary files through the jumpurl feature

Added by Helmut Hummel about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Communication
Target version:
-
Start date:
2010-10-05
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.2
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Quote from Gregor Kopf

===========

I have identified two issues in Typo3, which can be combined to evade
the juSecure/juHash validation and therefore to download arbitrary
files from the server. The details are described below.

1) Non-typesafe comparison
[REMOVED]

2) Short hash value
[REMOVED]

OTRS: 2010100410000034
Reporter: Gregor Kopf
(issue imported from #M15898)


Files

15898_trunk.diff (4.01 KB) 15898_trunk.diff Administrator Admin, 2010-10-05 01:45
15898_4-4.diff (4 KB) 15898_4-4.diff Administrator Admin, 2010-10-05 01:50
15898_4-3.diff (4 KB) 15898_4-3.diff Administrator Admin, 2010-10-05 02:07
15898_4-2.diff (3.92 KB) 15898_4-2.diff Administrator Admin, 2010-10-05 02:17
15898_trunk_v2.diff (4.04 KB) 15898_trunk_v2.diff Administrator Admin, 2010-10-05 02:29
15898_4-4_v2.diff (4.03 KB) 15898_4-4_v2.diff Administrator Admin, 2010-10-05 02:29
15898_4-3_v2.diff (4.03 KB) 15898_4-3_v2.diff Administrator Admin, 2010-10-05 02:29
15898_4-2_v2.diff (3.95 KB) 15898_4-2_v2.diff Administrator Admin, 2010-10-05 02:30
fix_15898.sh (1.09 KB) fix_15898.sh Administrator Admin, 2010-10-05 13:57

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #23682: jumpurl.secure fails if no mimeTypes are setClosedSteffen Gebert2010-10-06

Actions
Actions #1

Updated by Helmut Hummel about 14 years ago

Exploit Code:

=====================
[REMOVED] ====================

[REMOVED]

Actions #2

Updated by Helmut Hummel about 14 years ago

added t3lib_div::resolveBackPath before creating the absolute filename for enhanced compatibility to the current behaviour in th v2 patches

Actions #3

Updated by Marcus Krause about 14 years ago

+1 by reading v2
+1 by testing v2 on 4-2, 4-3 and 4-4

Actions

Also available in: Atom PDF