Component Type: Core
Affected Components: File Editor in Install Tool
Versions: TYPO3 3.8.0 and earlier
Vulnerability Type: Information Disclosure
Situations are imaginable where sensitive information gets stored in the fileadmin/_temp_/ directory. If misconfigured in your web server, this directory can be browsable and therefore expose that information.
Generally, please make sure to configure your web server to not allow directory indexing (or limit it to directories where you really want it).
Furthermore, we recommend to create a .htaccess file in fileadmin/_temp_/ that contains the lines
Deny from all
From TYPO3 3.8.1 on, full installation packages ("Dummy", "Quickstart" etc.) contain this .htaccess file by default.
Thanks to Stefan Aebischer for notifying us.