Bug #98264
open
Logging "unsupported" HTTP request methods as an exception into the log is wrong
0%
Description
The class TYPO3\CMS\Core\Http\Request will log any "unsupported" HTTP method as an Exception to the logs. \InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);
Knowing this one can exploit any modern TYPO3 setup by simply doing curl -XUNKWNONMETHOD https://target-host in a "slow" loop (slow enough to not be considered a DoS) and spam everyones sys_log.
The correct way of handling an unsupported method is by answering with 501 (Not Implemented).
Discovered in v10, but still valid in current master.
Updated by Stefan P over 1 year ago
- Subject changed from Logging "unspported" HTT request methods as an exception into the log is wrong to Logging "unsupported" HTTP request methods as an exception into the log is wrong
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613
Updated by Gerrit Code Review 6 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75613