New TYPO3 releases (patch versions)

Posted on July 16, 2009 by Marcus.

No security fixes but security improvements

By today, new TYPO3 releases (patch versions 4.0.13, 4.1.12, 4.2.8) have been published.

Although there are no security fixes in them, they contain desirable security improvements as listed below:

  • file deny pattern is applied to jumpurl (4-0, 4-1, 4-2)
  • automatic deletion of ENABLE_INSTALL_TOOL file (4-1, 4-2)

Before, jumpurl allowed to download any file ressource (if you provide the correct validation hash). Now, by default PHP files are no longer able to be downloaded and access to files below typo3conf directory is completely denied.

A lot of TYPO3 admins forgot to delete the ENABLE_INSTALL_TOOL file after using the install tool which exposes a risk. I've covered that by a blog post and recommended to set up a cronjob for it. Now, this file is automatically deleted if it's older than one hour. During development you can suppress this behaviour by setting the file content to "KEEP_FILE".
Update: Michael Stucki has written a nice posting about this new behaviour on buzz.typo3.org.

Permalink | Trackback link
Tags:  TYPO3 Security Blog
Views: 0
  •  
  • 0 Comment(s)
  •  

Your comment

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(22)

Tag cloud