Bug #3506

Recycler: Possible security issue

Added by Fabien Udriot over 9 years ago. Updated over 7 years ago.

Status:
Rejected
Priority:
-- undefined --
Assignee:
-
Category:
-
Target version:
-
Start date:
2009-05-28
Due date:
% Done:

0%

TYPO3 Version:
4.3
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi,

I found out that a regular BE user which has no access to the module recycler can have access to URL like this

http://mywebsite/typo3/ajax.php?ajaxID=tx_recycler::controller&startUid=7&cmd=getTables&depth=1&_dc=1243542264808

This is a potential security hole since a BE user could play with the URL and get not allowed information. I suggest to add at the top of file class/controller/class.tx_recycler_controller_ajax.php a simple check:

// Check whether the user has access to the module
global $BE_USER;
$MCONF['name'] = 'web_txrecyclerM1';
$MCONF['access'] = 'user,group';
$BE_USER->modAccess($MCONF, 1);    // This checks makes sure the user has the permissions to access this class. Exits if that's not the case.

History

#1 Updated by Chris topher over 7 years ago

  • Project changed from TYPO3 Recycler to TYPO3 Core
  • Target version deleted (TYPO3 4.3 beta)

#2 Updated by Chris topher over 7 years ago

  • Subject changed from Possible security issue to Recycler: Possible security issue
  • TYPO3 Version set to 4.3

#3 Updated by Helmut Hummel over 7 years ago

  • Project changed from TYPO3 Core to Core Security

Moved to Core-Security project because it's security relevant

#4 Updated by Helmut Hummel over 7 years ago

  • Status changed from New to Rejected
  • Priority changed from Must have to -- undefined --
  • Patch is reviewed set to No
  • Has patch set to No

While it is not nice to be able to call the method, there is no information disclosure here, because the access is checked correctly in the class tx_recycler_model_deletedRecords in any case. So the user cannot get or modify anything without the proper permissions.

@see tx_recycler_helper::checkAccess()

#5 Updated by Helmut Hummel over 7 years ago

  • Category set to T3-03: Information Disclosure

#6 Updated by Helmut Hummel over 7 years ago

  • Project changed from Core Security to TYPO3 Core
  • Category deleted (T3-03: Information Disclosure)

Also available in: Atom PDF