Bug #23675

It is (still) possible to download arbitrary files through the jumpurl feature

Added by Helmut Hummel over 6 years ago. Updated over 6 years ago.

Status:Closed Start date:2010-10-05
Priority:Must have Due date:
Assigned To:- % Done:

0%

Category:Communication
Target version:-
TYPO3 Version:4.2 Complexity:
PHP Version:5.2 Is Regression:
Tags: Sprint Focus:

Description

Quote from Gregor Kopf

===========

I have identified two issues in Typo3, which can be combined to evade
the juSecure/juHash validation and therefore to download arbitrary
files from the server. The details are described below.

1) Non-typesafe comparison
[REMOVED]

2) Short hash value
[REMOVED]

OTRS: 2010100410000034
Reporter: Gregor Kopf
(issue imported from #M15898)

15898_trunk.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 01:45

15898_4-4.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 01:50

15898_4-3.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 02:07

15898_4-2.diff Magnifier (3.9 kB) Administrator Admin, 2010-10-05 02:17

15898_trunk_v2.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 02:29

15898_4-4_v2.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 02:29

15898_4-3_v2.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 02:29

15898_4-2_v2.diff Magnifier (4 kB) Administrator Admin, 2010-10-05 02:30

fix_15898.sh Magnifier (1.1 kB) Administrator Admin, 2010-10-05 13:57


Related issues

related to Core - Bug #23682: jumpurl.secure fails if no mimeTypes are set Closed 2010-10-06

History

#1 Updated by Helmut Hummel over 6 years ago

Exploit Code:

=====================
[REMOVED] ====================

[REMOVED]

#2 Updated by Helmut Hummel over 6 years ago

added t3lib_div::resolveBackPath before creating the absolute filename for enhanced compatibility to the current behaviour in th v2 patches

#3 Updated by Marcus Krause over 6 years ago

+1 by reading v2
+1 by testing v2 on 4-2, 4-3 and 4-4

Also available in: Atom PDF