Typo3 hole allows access to arbitrary files
The Typo3 security team have now posted the details of a previously announced, but not detailed, critical security issue that allows access to arbitrary files on the server. The files include the
localconf.php file in which the (hashed) password for the install tool, alongside the database username and password, are stored. According to the Typo3 developers, the cause of the problem is an error in the
jumpurl function for analysing the Web access. This reveals a mandatory hash secret, intended to invalidate such requests, that has access to the arbitrary files.
Affected versions are 3.3.x, 3.5.x, 3.6.x, 3.7.x, 3.8.x, 4.0 to 4.0.11, 4.1.0 to 4.1.9, 4.2.0 to 4.2.5 and 4.3 Alpha 1. The updates to 4.0.12, 4.1.10 and 4.2.6 close the gap. In addition the new versions remove a cross-site scripting vulnerability.
Alternatively, a small shell script (direct download link) has been provided by the developers to make the modifications necessary, without having to install the complete update. Further details can be found in the report from Typo3.