CVE-2008-2717

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.

Published: Jun 17, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-2717
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
typo3 / typo3	4.1.1	4.1.1.x
typo3 / typo3	4.1	4.1.x
typo3 / typo3	4.2	4.2.x
typo3 / typo3	4.1.6	4.1.6.x
typo3 / typo3	4.0.5	4.0.5.x
typo3 / typo3	4.0.3	4.0.3.x
typo3 / typo3	4.1.4	4.1.4.x
typo3 / typo3	4.0.4	4.0.4.x
typo3 / typo3	4.0.1	4.0.1.x
typo3 / typo3	4.0.2	4.0.2.x
typo3 / typo3	4.0.7	4.0.7.x
typo3 / typo3	4.0	4.0.x
typo3 / typo3	4.0.8	4.0.8.x
typo3 / typo3	4.1.3	4.1.3.x
apache / apache_webserver	-	-
typo3 / typo3	4.0.6	4.0.6.x
typo3 / typo3	4.1.5	4.1.5.x
typo3 / typo3	4.1.2	4.1.2.x

http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
http://secunia.com/advisories/30619
http://secunia.com/advisories/30660
http://securityreason.com/securityalert/3945
http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
http://www.debian.org/security/2008/dsa-1596
http://www.securityfocus.com/archive/1/493270/100/0/threaded
http://www.securityfocus.com/bid/29657
http://www.vupen.com/english/advisories/2008/1802
https://exchange.xforce.ibmcloud.com/vulnerabilities/42988

Vulnerability Database

289,871

CVE-2008-2717