CVE-2010-5099

Name of the Vulnerable Software and Affected Versions TYPO3 versions 4.2.x through 4.2.15 TYPO3 versions 4.3.x through 4.3.8 TYPO3 versions 4.4.x through 4.4.4

Description The issue concerns the fileDenyPattern functionality in the PHP file inclusion protection API, which fails to properly filter file types. This allows remote attackers to bypass access restrictions and access arbitrary PHP files. Attackers can exploit this using path traversal sequences with %00 null bytes to read sensitive information, such as the TYPO3 encryption key from localconf.php.

Recommendations For TYPO3 versions 4.2.x through 4.2.15, update to version 4.2.16 or later. For TYPO3 versions 4.3.x through 4.3.8, update to version 4.3.9 or later. For TYPO3 versions 4.4.x through 4.4.4, update to version 4.4.5 or later.