- Release Date: November 20, 2018
- Component Type: Web server hosting environment
- Impact: Information disclosure of developer related resources
- Type: Advisory
Problem Description
The TYPO3 security team has been informed about the possibility to retrieve development related information - such as Composer or TypoScript configurations - by regular HTTP GET requests on NGINX web server environments missing strict access restriction settings.
The TYPO3 core already provides default configuration for Apache web server and Microsoft Internet Information Server (IIS) using custom override techniques (.htaccess and web.config declarations). Since this functionality is not available on web servers running NGINX, server maintainers have to ensure internal resources are restricted from being exposed to the public web interface.
This information could be used by attackers in order to infer internal system behavior as well as to identify specific release versions (TYPO3 core, extensions, packages).
Solution
The TYPO3 security guide has been extended and addresses the topic in greater detail. Primarily, hosting environments using NGINX should be adjusted and reviewed in order to not expose internal information anymore. Apache and IIS environments were already provided with default values delivered by the TYPO3 core, but should be reviewed once more whether their restriction settings are up-to-date. A section showing potential URLs that should be restricted has been added to the security guide accordingly.
Links
- Security Guide - Restrict access to files on a server-level
- Security Guide - Configuration example for NGINX web servers
Credits
Credits go to Peter Schuler & Thomas Löffler who reported the vulnerability.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.