Information disclosure in adodb/
not fully tested but IMO it possible to select any data from any table within TYPO3\CMS\Adodb\View\CheckConnectionWizardView, just a be login needs to be needed
ext:datasources must be installed, then some non-admin can "dump" the data of any row of this table via checkconnectionwiz.
it is not possible to dump an arbitrary table, and also this does not work if adodb or datasources is not installed.
Remove all this "connection" code that depends on ext:datasources in 6.2. For versions below, the script is sanitized a bit better with a "if not be_user is admin -> die" or similar.
- Project changed from 1716 to TYPO3 Core
- Category deleted (
T3-03: Information Disclosure)
Since the attack vector is very low, this issue is opened and goes through the regular review process now.
- Status changed from New to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom