This is a critical issue!įor more details see Security Bulletin TYPO3-EXT-SA-2014-007. Failing to check the uploaded file name against the fileDenyPattern pattern, powermail is susceptible to arbitrary code execution. Uploading files in powermail is possible without finally submitting the form, so a malicious file could be uploaded without further discovery. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). The extension powermail offers the possibility to upload files. When using CloudFlare flexible SSL and it crashes have a look at the Forge Issue #59021.Īrbitrary code execution in extension „powermail“ (powermail) If you ran into the error message „current host header does not match trusted hosts pattern“ after the update to the above mentioned TYPO3 versions please make sure to set the trustedHostsPattern as described in the Security Bulletin TYPO3-CORE-SA-2014-001. Powermail has a function that allows TYPO3 to automatically send an e-mail to the person filling out the form (a confirmation e-mail). These TYPO3 versions introduce a new configuration option: $GLOBALS The Vulnerability Types include Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Today two security bulletins have been released: Multiple Vulnerabilities in TYPO3 CMS
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |