QwikSec

Security Database

CVE

CWE

Training

CVE-2010-5099

Published: May 30, 2012

Modified: Aug 7, 2024

PUBLISHED

Description

The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/

x_refsource_CONFIRM

typo3-unspecified-file-include(64180)

vdb-entry

x_refsource_XF

third-party-advisory

x_refsource_SECUNIA

[oss-security] 20120512 Re: CVE-request: TYPO3 TYPO3-SA-2010-022 still without CVE

mailing-list

x_refsource_MLIST

[oss-security] 20110113 CVE requests: ftpls, xdigger, lbreakout2, calibre, typo3

mailing-list

x_refsource_MLIST

exploit

x_refsource_EXPLOIT-DB

[oss-security] 20120510 Re: CVE-request: TYPO3 TYPO3-SA-2010-022 still without CVE

mailing-list

x_refsource_MLIST

[oss-security] 20120511 CVE-request: TYPO3 TYPO3-SA-2010-022 still without CVE

mailing-list

x_refsource_MLIST

http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.