TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Apache_webserver | Apache | * | * |
| Typo3 | Typo3 | 4.0 (including) | 4.0 (including) |
| Typo3 | Typo3 | 4.0.1 (including) | 4.0.1 (including) |
| Typo3 | Typo3 | 4.0.2 (including) | 4.0.2 (including) |
| Typo3 | Typo3 | 4.0.3 (including) | 4.0.3 (including) |
| Typo3 | Typo3 | 4.0.4 (including) | 4.0.4 (including) |
| Typo3 | Typo3 | 4.0.5 (including) | 4.0.5 (including) |
| Typo3 | Typo3 | 4.0.6 (including) | 4.0.6 (including) |
| Typo3 | Typo3 | 4.0.7 (including) | 4.0.7 (including) |
| Typo3 | Typo3 | 4.0.8 (including) | 4.0.8 (including) |
| Typo3 | Typo3 | 4.1 (including) | 4.1 (including) |
| Typo3 | Typo3 | 4.1.1 (including) | 4.1.1 (including) |
| Typo3 | Typo3 | 4.1.2 (including) | 4.1.2 (including) |
| Typo3 | Typo3 | 4.1.3 (including) | 4.1.3 (including) |
| Typo3 | Typo3 | 4.1.4 (including) | 4.1.4 (including) |
| Typo3 | Typo3 | 4.1.5 (including) | 4.1.5 (including) |
| Typo3 | Typo3 | 4.1.6 (including) | 4.1.6 (including) |
| Typo3 | Typo3 | 4.2 (including) | 4.2 (including) |
| Typo3-src | Ubuntu | dapper | * |
| Typo3-src | Ubuntu | feisty | * |
| Typo3-src | Ubuntu | gutsy | * |
| Typo3-src | Ubuntu | hardy | * |
| Typo3-src | Ubuntu | upstream | * |
References
- http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
- http://secunia.com/advisories/30619
- http://secunia.com/advisories/30660
- http://securityreason.com/securityalert/3945
- http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
- http://www.debian.org/security/2008/dsa-1596
- http://www.securityfocus.com/archive/1/493270/100/0/threaded
- http://www.securityfocus.com/bid/29657
- http://www.vupen.com/english/advisories/2008/1802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42988
- http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
- http://secunia.com/advisories/30619
- http://secunia.com/advisories/30660
- http://securityreason.com/securityalert/3945
- http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
- http://www.debian.org/security/2008/dsa-1596
- http://www.securityfocus.com/archive/1/493270/100/0/threaded
- http://www.securityfocus.com/bid/29657
- http://www.vupen.com/english/advisories/2008/1802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42988