A problem has been discovered with thumbs.php providing access to unwanted files
Component Type: TYPO3 Core
Affected Versions: ALL
Vulnerability Type: Image Access
TYPO3 uses a script t3lib/thumbs.php to display thumbnails of images and/or
PDF documents. It has been discovered that this script is not doing any
checks to see if the request is coming from a backend user who has access
to the file.
By design, thumbs.php is not making up any database connection, therefore it
is not possible to find out if the user is trusted or not. Instead, the
problem is solved by supplying an MD5 checksum which is only known to
The severity of this issue is only minor because usually all images are
accessible directly as soon as the file path is known. Of course this is
also required for access through thumbs.php, so the script can only be
misused in the situation of a locked directory where at the same time the
path to he image is known.
Update to TYPO3 version 4.0.3 or later.
Credits go to Marc Bastian Heinrichs for discovering and reporting this
issue, and to Michael Stucki for providing a patch.