thumbs.php

2006-12-05T00:00:00
ID TYPO3-20061205-1
Type typo3
Reporter TYPO3 Association
Modified 2006-12-05T00:00:00

Description

A problem has been discovered with thumbs.php providing access to unwanted files

Component Type: TYPO3 Core

Affected Versions: ALL

Vulnerability Type: Image Access

Severity: minor**

Problem Description:**
TYPO3 uses a script t3lib/thumbs.php to display thumbnails of images and/or
PDF documents. It has been discovered that this script is not doing any
checks to see if the request is coming from a backend user who has access
to the file.

By design, thumbs.php is not making up any database connection, therefore it
is not possible to find out if the user is trusted or not. Instead, the
problem is solved by supplying an MD5 checksum which is only known to
trusted users.

The severity of this issue is only minor because usually all images are
accessible directly as soon as the file path is known. Of course this is
also required for access through thumbs.php, so the script can only be
misused in the situation of a locked directory where at the same time the
path to he image is known.

Solution:
Update to TYPO3 version 4.0.3 or later.

Credits:
Credits go to Marc Bastian Heinrichs for discovering and reporting this
issue, and to Michael Stucki for providing a patch.