cbcvebase.
CVE-2009-0815
published 2009-03-05

CVE-2009-0815: The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash…

PriorityP343medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
42.23%
98.5th percentile
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
typo3cms>= 3.3 < 4.0.124.0.12
typo3cms>= 4.1 < 4.1.104.1.10
typo3cms>= 4.2 < 4.2.64.2.6
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3
typo3typo3

Detection & IOCsextracted from sources · hover to see the quote

pathtypo3conf/localconf.php
url/index.php?jumpurl=<file>&type=0&juSecure=1&locationData=1:
url/index.php?jumpurl=<file>&type=0&juSecure=1&locationData=1:&juHash=<hash>
pathclass.tslib_fe.php
  • Look for HTTP requests to /index.php containing both 'juSecure=1' and 'locationData=' parameters, which indicate exploitation of the jumpUrl file disclosure mechanism.
  • Monitor HTTP responses from TYPO3 for the error string pattern 'Calculated juHash, [a-z0-9]+, did not' which leaks the secret hash value to the attacker.
  • Flag requests targeting sensitive TYPO3 configuration files via the jumpUrl parameter, especially 'typo3conf/localconf.php' which contains the security key.
  • ·The attacker can read any file accessible to the web server user account, not just TYPO3-specific files; the default target is typo3conf/localconf.php but arbitrary paths can be supplied.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.