Component Type: Core
Affected Components: File Editor in Install Tool
Versions: TYPO3 3.8.0 and earlier
Vulnerability Type: Information Disclosure
Severity: High
Problem Description:
The file editor functionality in the TYPO3 Install Tool (menu option "Edit files in typo3conf/") has an option that reads "Make backup copy". If set, this will create a backup copy and append a "~" to the original file name. This leads to file names that may be delivered as text files by a web server. Thus, sensitive information (e.g. the content of localconf.php) may be disclosed.
It may be added that the same problem may be caused by tools outside of TYPO3, e.g. PHP editors.
Solution:
The solution is part of the general maintenance upgrade to TYPO3 version 3.8.1, which all users of TYPO3 are advised to implement. In this version, the behaviour is changed for .php files: Future backups will be renamed to *_bak.php .
Please make sure to remove (or rename accordingly) existing ".php~" backup files!
You may also consider introducing an extra htaccess rule to prevent access to existing "~" backup files, wherever they may come from in the future:
<Files ~ "\~$">
Order deny,allow
Deny from all
</Files>
Credits:
Thanks to Lars Houmark for notifying us.