Web Resource Restrictions

Categories: Development Created by Oliver Hader
It has been discovered that development related information can be retrieved by regular HTTP GET requests on NGINX web server environments missing strict access restriction settings.
  • Release Date: November 20, 2018
  • Component Type: Web server hosting environment
  • Impact: Information disclosure of developer related resources
  • Type: Advisory

Problem Description

The TYPO3 security team has been informed about the possibility to retrieve development related information - such as Composer or TypoScript configurations - by regular HTTP GET requests on NGINX web server environments missing strict access restriction settings.

The TYPO3 core already provides default configuration for Apache web server and Microsoft Internet Information Server (IIS) using custom override techniques (.htaccess and web.config declarations). Since this functionality is not available on web servers running NGINX, server maintainers have to ensure internal resources are restricted from being exposed to the public web interface.

This  information could be used by attackers in order to infer internal system behavior as well as to identify specific release versions (TYPO3 core, extensions, packages).

Solution

The TYPO3 security guide has been extended and addresses the topic in greater detail. Primarily, hosting environments using NGINX should be adjusted and reviewed in order to not expose internal information anymore. Apache and IIS environments were already provided with default values delivered by the TYPO3 core, but should be reviewed once more whether their restriction settings are up-to-date. A section showing potential URLs that should be restricted has been added to the security guide accordingly.

Links

Credits

Credits go to Peter Schuler & Thomas Löffler who reported the vulnerability.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.