CVE-2008-2717: Malicious File Upload
First published: Mon Jun 16 2008(Updated: )
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Typo3 Typo3 | =4.1.1 | |
| Typo3 Typo3 | =4.1 | |
| Typo3 Typo3 | =4.2 | |
| Typo3 Typo3 | =4.1.6 | |
| Typo3 Typo3 | =4.0.5 | |
| Typo3 Typo3 | =4.0.3 | |
| Typo3 Typo3 | =4.1.4 | |
| Typo3 Typo3 | =4.0.4 | |
| Typo3 Typo3 | =4.0.1 | |
| Typo3 Typo3 | =4.0.2 | |
| Typo3 Typo3 | =4.0.7 | |
| Typo3 Typo3 | =4.0 | |
| Typo3 Typo3 | =4.0.8 | |
| Typo3 Typo3 | =4.1.3 | |
| Apache Apache Webserver | ||
| Typo3 Typo3 | =4.0.6 | |
| Typo3 Typo3 | =4.1.5 | |
| Typo3 Typo3 | =4.1.2 | |
| composer/typo3/cms-core | >=4.2.0<4.2.1 | 4.2.1 |
| composer/typo3/cms-core | >=4.1.0<4.1.7 | 4.1.7 |
| composer/typo3/cms-core | >=4.0.0<4.0.9 | 4.0.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
- http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
- http://www.debian.org/security/2008/dsa-1596
- http://secunia.com/advisories/30619
- http://secunia.com/advisories/30660
- http://securityreason.com/securityalert/3945
- http://www.securityfocus.com/bid/29657
- http://www.vupen.com/english/advisories/2008/1802
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42988
- http://www.securityfocus.com/archive/1/493270/100/0/threaded
- https://nvd.nist.gov/vuln/detail/CVE-2008-2717
- https://web.archive.org/web/20080815050856/http://securityreason.com/securityalert/3945
- https://web.archive.org/web/20081201212626/http://secunia.com/advisories/30619
- https://web.archive.org/web/20081206030529/http://secunia.com/advisories/30660
- https://web.archive.org/web/20200228131005/http://www.securityfocus.com/bid/29657
- https://web.archive.org/web/20201208012148/http://www.securityfocus.com/archive/1/493270/100/0/threaded
- https://github.com/advisories/GHSA-f35p-hcwf-9f9f (Advisory)
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f35p-hcwf-9f9f
- alias/CVE-2008-2717
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/event
- agent/softwarecombine
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/4.1.1
- version/typo3 typo3/4.1
- version/typo3 typo3/4.2
- version/typo3 typo3/4.1.6
- version/typo3 typo3/4.0.5
- version/typo3 typo3/4.0.3
- version/typo3 typo3/4.1.4
- version/typo3 typo3/4.0.4
- version/typo3 typo3/4.0.1
- version/typo3 typo3/4.0.2
- version/typo3 typo3/4.0.7
- version/typo3 typo3/4.0
- version/typo3 typo3/4.0.8
- version/typo3 typo3/4.1.3
- vendor/apache
- canonical/apache apache webserver
- version/typo3 typo3/4.0.6
- version/typo3 typo3/4.1.5
- version/typo3 typo3/4.1.2
- package-manager/composer