Go to: typo3.com Home TYPO3 Association Home typo3.org Home FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Support (Mailinglist Archive, Beta) Wiki Mailing lists

Search:

 

Component Type: Core

Affected Components: File Editor in Install Tool

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Information Disclosure

Severity: High

 

Problem Description:
Situations are imaginable where sensitive information gets stored in the fileadmin/_temp_/ directory. If misconfigured in your web server, this directory can be browsable and therefore expose that information.

 

Solution:

Generally, please make sure to configure your web server to not allow directory indexing (or limit it to directories where you really want it).

Furthermore, we recommend to create a .htaccess file in fileadmin/_temp_/ that contains the lines

Order deny,allow
Deny from all

From TYPO3 3.8.1 on, full installation packages ("Dummy", "Quickstart" etc.) contain this .htaccess file by default.

 

Credits:
Thanks to Stefan Aebischer for notifying us.