VIGILANCE-VUL-8839 - not a vulnerability

Posted in advisory/ on July 07, 2009 by Marcus.

Today, I stumbled across VIGILANCE-VUL-8839, a newly published to-be advisory covering TYPO3 bugtracker issue #0011369.
Attentive readers of this blog are aware that I've covered exactly this issue in my recent posting on new TYPO3 releases. I also mentioned that this is not a vulnerability. It seems somebody is of different opinion. Challenge accepted.

So why is this not a vulnerability:

The file deny pattern is generally only applied when uploading files onto the TYPO3 system. Such user files matching this pattern won't exist on a TYPO3 installation. The pattern itself is able to be modified by a TYPO3 administrator; by default it prevents php files to be uploaded.
Jumpurl would allow to access all files the web server user account has access to. Prerequisite: a mandatory token is supplied with such request that matches the one TYPO3 is expecting.

Therefore you will only be able to access files with jumpurl if the system is configured to expose such files. AFAIK, this is only used for e.g. PDF documents referenced by newsletters. Such jumpurl links with a valid token are only created by TYPO3 when an author/admin consciously decides to make specific files available.

Independent from that, a typical author will never be able to create jumpurl links to the central TYPO3 configuration file (php file ).

What the core team (with TYPO3 Security Team's approval) has decided:
There's no need at all to (theoretically) allow to create links to this configuration file or configuration directory.

Your system is not more secure after applying the patch! Also the TYPO3 Security Team didn't fix a known vulnerability by that patch. The Security Team is very focused on TYPO3 Security. If we would have considered this to be a vulnerability, we would have published an advisory.

I hope this is more clear for you now. No need to worry! Thanks for listening.