CVE-2008-2717
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
| Software | From | Fixed in |
|---|---|---|
| typo3 / typo3 | 4.1.1 | 4.1.1.x |
| typo3 / typo3 | 4.1 | 4.1.x |
| typo3 / typo3 | 4.2 | 4.2.x |
| typo3 / typo3 | 4.1.6 | 4.1.6.x |
| typo3 / typo3 | 4.0.5 | 4.0.5.x |
| typo3 / typo3 | 4.0.3 | 4.0.3.x |
| typo3 / typo3 | 4.1.4 | 4.1.4.x |
| typo3 / typo3 | 4.0.4 | 4.0.4.x |
| typo3 / typo3 | 4.0.1 | 4.0.1.x |
| typo3 / typo3 | 4.0.2 | 4.0.2.x |
| typo3 / typo3 | 4.0.7 | 4.0.7.x |
| typo3 / typo3 | 4.0 | 4.0.x |
| typo3 / typo3 | 4.0.8 | 4.0.8.x |
| typo3 / typo3 | 4.1.3 | 4.1.3.x |
| apache / apache_webserver | - | - |
| typo3 / typo3 | 4.0.6 | 4.0.6.x |
| typo3 / typo3 | 4.1.5 | 4.1.5.x |
| typo3 / typo3 | 4.1.2 | 4.1.2.x |
- http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
- http://secunia.com/advisories/30619
- http://secunia.com/advisories/30660
- http://securityreason.com/securityalert/3945
- http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
- http://www.debian.org/security/2008/dsa-1596
- http://www.securityfocus.com/archive/1/493270/100/0/threaded
- http://www.securityfocus.com/bid/29657
- http://www.vupen.com/english/advisories/2008/1802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42988
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime