CVE-2010-3714
published 2010-10-25CVE-2010-3714: The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not…
PriorityP354high7.1CVSS 2.0
AVNACMAuNCCINAN
EXPLOIT
EPSS
24.56%
97.6th percentile
The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms | >= 4.2.0 < 4.2.15 | 4.2.15 |
| typo3 | cms | >= 4.2.0 < 4.2.16 | 4.2.16 |
| typo3 | cms | >= 4.3.0 < 4.3.7 | 4.3.7 |
| typo3 | cms | >= 4.3.0 < 4.3.9 | 4.3.9 |
| typo3 | cms | >= 4.4.0 < 4.4.4 | 4.4.4 |
| typo3 | cms | >= 4.4.0 < 4.4.5 | 4.4.5 |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
CVSS provenance
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
ghsa7.1HIGH
osv7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4rfj-gg42-w428: Unspecified vulnerability in the Extension Manager in TYPO3 4
ghsa_unreviewed·2022-05-17·CVSS 7.1
CVE-2010-4068 [HIGH] CWE-20 GHSA-4rfj-gg42-w428: Unspecified vulnerability in the Extension Manager in TYPO3 4
Unspecified vulnerability in the Extension Manager in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allows remote authenticated administrators to read and possibly modify arbitrary files via a crafted parameter, a different vulnerability than CVE-2010-3714.
OSV
TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
osv·2022-05-17
CVE-2010-3714 [HIGH] TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.
GHSA
TYPO3 Path Traversal vulnerability
ghsa·2022-05-17·CVSS 7.1
CVE-2010-5099 [HIGH] CWE-20 TYPO3 Path Traversal vulnerability
TYPO3 Path Traversal vulnerability
The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.
GHSA
TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
ghsa·2022-05-17
CVE-2010-3714 [HIGH] CWE-284 TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism
The jumpUrl (aka access tracking) implementation in `tslib/class.tslib_fe.php` in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.
OSV
TYPO3 Path Traversal vulnerability
osv·2022-05-17·CVSS 7.1
CVE-2010-5099 [HIGH] TYPO3 Path Traversal vulnerability
TYPO3 Path Traversal vulnerability
The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.
Suricata
ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
suricata·2010-07-30
CVE-2008-3714 ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/awstats/awstats.pl?config="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:url,www.securityfocus.com/bid/30730/info; reference:url,bugzilla.redhat.com/show_bug.cgi?id=474396; reference:url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764; reference:cve,2008-3714; classtype:web-application-attack; sid:2010082; rev:6; metadata:created_at 2010_07_30, cve CVE_2008_3714, confidence Medium, signature_severity Major, updated_at 2020_09_10
Exploit-DB
TYPO3 - Arbitrary File Retrieval
exploitdb·2010-12-29·CVSS 7.1
CVE-2012-2344 [HIGH] TYPO3 - Arbitrary File Retrieval
TYPO3 - Arbitrary File Retrieval
---
0);
for($i=0;$i<count($handles);$i++){
$output = curl_multi_getcontent($handles[$i]);
$location="%20".$location;
curl_multi_remove_handle($mh,$handles[$i]);
curl_setopt($handles[$i], CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$location."&juHash=".$juHash);
curl_multi_add_handle($mh,$handles[$i]);
$rcont++;
echo(".");
}
}
curl_multi_remove_handle($mh,$handles[$i]);
curl_multi_close($mh);
$key=substr($output,strpos($output,"TYPO3_CONF_VARS['SYS']['encryptionKey'] = '")+43);
$key=substr($key,0,strpos($key,"';"));
echo("\n[*] Done! ".$rcont." requests\n");
echo("\n[*] TYPO3's encryption key:".$key."\n");
/* STEP 3 - Retrieve arbitrary files */
while(!0) {
echo("\n[*] Which file do you want to download?\n");
ec
Metasploit
TYPO3 sa-2010-020 Remote File Disclosure
metasploit
TYPO3 sa-2010-020 Remote File Disclosure
TYPO3 sa-2010-020 Remote File Disclosure
This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.
No writeups or analysis indexed.
http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.htmlhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/http://www.debian.org/security/2010/dsa-2121http://www.exploit-db.com/exploits/15856http://www.securityfocus.com/bid/43786http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.htmlhttp://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/http://www.debian.org/security/2010/dsa-2121http://www.exploit-db.com/exploits/15856http://www.securityfocus.com/bid/43786
2010-10-25
Published