Project

General

Profile

Actions

Task #75104

closed

lockToDomain feature can be (easily) circumvented

Added by Helmut Hummel over 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-03-14
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Sprint Focus:

Description

lockToDomain is only ever checked against HTTP_HOST which is a request parameter which can be faked.

By doing so, it is possible to forge a request with a fake Host header value.

Of course the TYPO3 user must still be valid and active.

Actions

Also available in: Atom PDF