Professional Content Management

Free and open source, TYPO3 CMS is the most widely used enterprise-level CMS.

Test TYPO3 now:

TYPO3 live demo

Inspire people to share

Offer your skills and contribute to the project. The community is growing and does more than just coding. 

A Community Effort

TYPO3 CMS is an Open Source project managed by the TYPO3 Association.

The Project

Do you have a question?

Ask the community or a professional partner.

TYPO3-20051114-7: TYPO3 Security Bulletin

Categories: TYPO3 CMS Created by Ekkehard Gümbel
Situations are imaginable where sensitive information gets stored in the fileadmin/_temp_/ directory. If misconfigured in your web server, this directory can be browsable and therefore expose that information.

Component Type: Core

Affected Components: File Editor in Install Tool

Versions: TYPO3 3.8.0 and earlier

Vulnerability Type: Information Disclosure

Severity: High

Problem Description:
Situations are imaginable where sensitive information gets stored in the fileadmin/_temp_/ directory. If misconfigured in your web server, this directory can be browsable and therefore expose that information.

Solution:

Generally, please make sure to configure your web server to not allow directory indexing (or limit it to directories where you really want it).

Furthermore, we recommend to create a .htaccess file in fileadmin/_temp_/ that contains the lines

Order deny,allow
Deny from all

From TYPO3 3.8.1 on, full installation packages ("Dummy", "Quickstart" etc.) contain this .htaccess file by default.

Credits:
Thanks to Stefan Aebischer for notifying us.