Security
Headlines
HeadlinesLatestCVEs

Headline

TYPO3 11.5.24 Path Traversal

TYPO3 version 11.5.24 suffers from a path traversal vulnerability.

Packet Storm
Open in Source
#vulnerability#auth
# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated)# Date: Apr 9, 2023# Exploit Author: Saeed reza Zamanian# Software Link: https://get.typo3.org/release-notes/11.5.24# Version: 11.5.24# Tested on: Kali 2022.3# CVE : CVE-2023-30451 In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel), to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through : POST /typo3/record/edit with ../../../ and the parameter  data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].  -----------------------------------------------------To exploit this vulnerability, follow these steps:1. Log in to the administrator panel.2. Navigate to 'file' > 'Filelist' section.3. Right-click on a file storage and select 'New.'4. Set the base URI to "../../../" and save.After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server.To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.

Related news

GHSA-w6x2-jg8h-p6mp: Path Traversal in TYPO3 File Abstraction Layer Storages

### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/...

GHSA-3gjc-mp82-fj4q: TYPO3 Arbitrary File Read via Directory Traversal

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST `/typo3/record/edit` with `../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]`.

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6
Packet Storm