Bug #23675

It is (still) possible to download arbitrary files through the jumpurl feature

Added by Helmut Hummel about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Communication
Target version:
-
Start date:
2010-10-05
Due date:
% Done:

0%

TYPO3 Version:
4.2
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Quote from Gregor Kopf

===========

I have identified two issues in Typo3, which can be combined to evade
the juSecure/juHash validation and therefore to download arbitrary
files from the server. The details are described below.

1) Non-typesafe comparison
[REMOVED]

2) Short hash value
[REMOVED]

OTRS: 2010100410000034
Reporter: Gregor Kopf
(issue imported from #M15898)

15898_trunk.diff View (4.01 KB) Administrator Admin, 2010-10-05 01:45

15898_4-4.diff View (4 KB) Administrator Admin, 2010-10-05 01:50

15898_4-3.diff View (4 KB) Administrator Admin, 2010-10-05 02:07

15898_4-2.diff View (3.92 KB) Administrator Admin, 2010-10-05 02:17

15898_trunk_v2.diff View (4.04 KB) Administrator Admin, 2010-10-05 02:29

15898_4-4_v2.diff View (4.03 KB) Administrator Admin, 2010-10-05 02:29

15898_4-3_v2.diff View (4.03 KB) Administrator Admin, 2010-10-05 02:29

15898_4-2_v2.diff View (3.95 KB) Administrator Admin, 2010-10-05 02:30

fix_15898.sh View (1.09 KB) Administrator Admin, 2010-10-05 13:57


Related issues

Related to TYPO3 Core - Bug #23682: jumpurl.secure fails if no mimeTypes are set Closed 2010-10-06

History

#1 Updated by Helmut Hummel about 7 years ago

Exploit Code:

=====================
[REMOVED] ====================

[REMOVED]

#2 Updated by Helmut Hummel about 7 years ago

added t3lib_div::resolveBackPath before creating the absolute filename for enhanced compatibility to the current behaviour in th v2 patches

#3 Updated by Marcus Krause about 7 years ago

+1 by reading v2
+1 by testing v2 on 4-2, 4-3 and 4-4

Also available in: Atom PDF