Bug #23675: It is (still) possible to download arbitrary files through the jumpurl feature - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #23675

closed

It is (still) possible to download arbitrary files through the jumpurl feature

Added by Helmut Hummel over 13 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Must have

Assignee:

Category:

Communication

Target version:

Start date:

2010-10-05

Due date:

% Done:

Estimated time:

TYPO3 Version:

4.2

PHP Version:

5.2

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Quote from Gregor Kopf

===========

I have identified two issues in Typo3, which can be combined to evade
the juSecure/juHash validation and therefore to download arbitrary
files from the server. The details are described below.

1) Non-typesafe comparison
[REMOVED]

2) Short hash value
[REMOVED]

OTRS: 2010100410000034
Reporter: Gregor Kopf
(issue imported from #M15898)

Files

Download all files

15898_trunk.diff (4.01 KB) 15898_trunk.diff		Administrator Admin, 2010-10-05 01:45
15898_4-4.diff (4 KB) 15898_4-4.diff		Administrator Admin, 2010-10-05 01:50
15898_4-3.diff (4 KB) 15898_4-3.diff		Administrator Admin, 2010-10-05 02:07
15898_4-2.diff (3.92 KB) 15898_4-2.diff		Administrator Admin, 2010-10-05 02:17
15898_trunk_v2.diff (4.04 KB) 15898_trunk_v2.diff		Administrator Admin, 2010-10-05 02:29
15898_4-4_v2.diff (4.03 KB) 15898_4-4_v2.diff		Administrator Admin, 2010-10-05 02:29
15898_4-3_v2.diff (4.03 KB) 15898_4-3_v2.diff		Administrator Admin, 2010-10-05 02:29
15898_4-2_v2.diff (3.95 KB) 15898_4-2_v2.diff		Administrator Admin, 2010-10-05 02:30
fix_15898.sh (1.09 KB) fix_15898.sh		Administrator Admin, 2010-10-05 13:57