Component Type: Core
Affected Component: Debug Script
Version: 3.8.0 and earlier
Vulnerability Type: Information Disclosure
Severity: Low
Problem Description:
A debug script exposes system information provided by phpinfo(). The script can be executed by a remote user.
Solution:
Remove the script, apply a patch or restrict access to the directory.
- Remove the directory typo3_src-3.x.x/misc/phpcheck
- A patch to prevent execution of the script is available. In typo3_src-3.x.x/misc/phpcheck/incfile.php, it inserts a die() function on top of the code. You can find it on bugs.typo3.org/view.php
- Use any of the favorite access restriction methods of your webserver. For example, in Apache, use mod_access or mod_auth directives.
Additional information:
This issue is fixed in the CVS version of the TYPO3 core and will be fixed in 3.8.1 as well.
References:
TYPO3 bugtracker, ID #1250 at bugs.typo3.org/view.php
Credits:
Thanks to Christian Lerrahn for pointing out this issue to us.