Component Type: TYPO3 Core
Affected Versions: ALL
Vulnerability Type: Image Access
Severity: minor
Problem Description:
TYPO3 uses a script t3lib/thumbs.php to display thumbnails of images and/or
PDF documents. It has been discovered that this script is not doing any
checks to see if the request is coming from a backend user who has access
to the file.
By design, thumbs.php is not making up any database connection, therefore it
is not possible to find out if the user is trusted or not. Instead, the
problem is solved by supplying an MD5 checksum which is only known to
trusted users.
The severity of this issue is only minor because usually all images are
accessible directly as soon as the file path is known. Of course this is
also required for access through thumbs.php, so the script can only be
misused in the situation of a locked directory where at the same time the
path to he image is known.
Solution:
Update to TYPO3 version 4.0.3 or later.
Credits:
Credits go to Marc Bastian Heinrichs for discovering and reporting this
issue, and to Michael Stucki for providing a patch.
TYPO3 v13.1—The Surfer’s Starterkit
Today we published the second sprint release of the v13 series: TYPO3 version 13.1. You can now consolidate site configurations as Site Sets and reuse…