Project

General

Profile

Actions
Copy link

Bug #24224

closed

It is possible to bypass "verifyFilenameAgainstDenyPattern"

Added by Helmut Hummel over 13 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Oliver Hader
Category:
-
Target version:
-
Start date:
2010-11-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The method does not normalize the string before checking it with a regular expression. By passing a null byte it is possible to bypass the check (see expoit code).

Reporter: Gregor Kopf, Luca Carettoni
OTRS: 2010100410000034, 2010112810000014
(issue imported from #M16593)

Files

Download all files
0016593.patch (595 Bytes) 0016593.patch Administrator Admin, 2010-12-06 16:11
16593_42.patch (1.88 KB) 16593_42.patch Administrator Admin, 2010-12-09 22:47
16593_43.patch (1.88 KB) 16593_43.patch Administrator Admin, 2010-12-09 22:48
16593_44.patch (1.88 KB) 16593_44.patch Administrator Admin, 2010-12-09 22:48
16593_45.patch (1.83 KB) 16593_45.patch Administrator Admin, 2010-12-09 22:48
16593_test_43.patch (1.43 KB) 16593_test_43.patch Administrator Admin, 2010-12-09 22:48
16593_test_44.patch (1.32 KB) 16593_test_44.patch Administrator Admin, 2010-12-09 22:48
16593_test_45.patch (1.32 KB) 16593_test_45.patch Administrator Admin, 2010-12-09 22:48
Actions
Copy link
 #1

Updated by Helmut Hummel over 13 years ago

Exploit code:
typo3conf/localconf.php%00/foobar/xx

Actions
Copy link
 #2

Updated by Oliver Hader over 13 years ago

I added one line that cuts off all control characters.

Actions
Copy link
 #3

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF