Go to: typo3.com Home TYPO3 Association Home typo3.org Home FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Support (Mailinglist Archive, Beta) Wiki Mailing lists

Search:

Component Type: Core 

Affected Component: Debug Script 

Version: 3.8.0 and earlier
Vulnerability Type: Information Disclosure
Severity: Low

 

Problem Description:
A debug script exposes system information provided by phpinfo(). The script can be executed by a remote user.

Solution:
Remove the script, apply a patch or restrict access to the directory.

• Remove the directory typo3_src-3.x.x/misc/phpcheck
• A patch to prevent execution of the script is available. In typo3_src-3.x.x/misc/phpcheck/incfile.php, it inserts a die() function on top of the code. You can find it on bugs.typo3.org/view.php
• Use any of the favorite access restriction methods of your webserver. For example, in Apache, use mod_access or mod_auth directives.

 

Additional information:
This issue is fixed in the CVS version of the TYPO3 core and will be fixed in 3.8.1 as well.

References:
TYPO3 bugtracker, ID #1250 at bugs.typo3.org/view.php

Credits:
Thanks to Christian Lerrahn for pointing out this issue to us.