On Thu, Jan 19, 2006 at 10:30:36AM -0000, Advisories wrote: > File system path disclosure on TYPO3 Web Content Manager > Vulnerablity Type / Importance: Information Leakage / Medium Hm, since when path disclosure is "medium importance"? > The following files were found to disclose the application path: > http://hostname/typo3/t3lib/thumbs.php > http://hostname/tslib/showpic.php > http://hostname/t3lib/stddb/tables.php > Tested Versions: > Version 3.7.1 The first one verified as applicable to 3.8.1 too (easily avoidable by adding IP- or user-based access restriction to /typo3 since that's administrative backend anyways), and the rest doesn't disclose anything on properly configured at least display_errors-wise webserver, which is a documented recommended (and often reiterated everywhere) PHP setup. > Workarounds: > IRM are not aware of any workarounds for this issue. Ouch. :) -- ---- WBR, Michael Shigorin <mike@xxxxxxxxxxx> ------ Linux.Kiev http://www.linux.kiev.ua/
Attachment:
pgp5gz3KnvTZp.pgp
Description: PGP signature