TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/29657 | vdb entry |
| http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/ | |
| http://secunia.com/advisories/30619 | third party advisory vendor advisory |
| http://www.securityfocus.com/archive/1/493270/100/0/threaded | mailing list |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/42988 | vdb entry |
| http://www.debian.org/security/2008/dsa-1596 | vendor advisory |
| http://www.vupen.com/english/advisories/2008/1802 | vdb entry |
| http://secunia.com/advisories/30660 | third party advisory vendor advisory |
| http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/ | |
| http://securityreason.com/securityalert/3945 | third party advisory |