TYPO3-20070612-1: Information disclosure in w4x_backup

It has been discovered that the extension w4x_backup has several security related issues, which may disclosure confidential information.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation

Affected Versions: Version 0.9.1 and all versions below

Vulnerability Type: Information disclosure

Severity: LOW

Problem Description: Within a Unix/Linux environment, the extension w4x_backup checks for appropriate file permissions during a backup or a restore operation. Problems are reported by creating a log file in HTML format. It can contain a complete list of the files and file paths of a TYPO3 based web site. The log file has a static name and path and is readable by the public. It is also not deleted  automatically, so it stays unchanged until it is overwritten by a newer version.

The contents of the log file might expose the names of confidential files that are not meant to be public and make them easily accessible for attackers. In some situations the contents of the log file can also expose the file name of the latest backup archive created by the extension. The backup archive would then be easily downloadable for an attacker (containing file contents and a sqldump).

Solution: An updated version is available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/w4x_backup/0.9.2/

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide.

Credits: Credits go to security team member Henning Pingel who discovered these issues and to Carlos Chiari who is the author and fixed the issues.