CVE-2014-9509

Name of the Vulnerable Software and Affected Versions TYPO3 versions 4.5.x through 4.5.38 TYPO3 versions 4.6.x through 6.2.x before 6.2.9 TYPO3 versions 7.x before 7.0.2

Description The issue allows remote attackers to have an unspecified impact, possibly resource consumption, via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page. This occurs when the config.prefixLocalAnchors option is set to "all" or "cached". The impact includes unfamiliar looking links to the home page ending up in the cache, leading to a reload of the page in the browser when section links are followed, instead of directly jumping to the requested section.

Recommendations For TYPO3 versions 4.5.x through 4.5.38, remove the configuration options config.prefixLocalAnchors (and optionally also config.baseUrl) in favor of config.absRefPrefix. For TYPO3 versions 4.6.x through 6.2.x before 6.2.9, remove the configuration options config.prefixLocalAnchors (and optionally also config.baseUrl) in favor of config.absRefPrefix, considering that the homepage is not a shortcut to a different page. For TYPO3 versions 7.x before 7.0.2, remove the configuration options config.prefixLocalAnchors (and optionally also config.baseUrl) in favor of config.absRefPrefix.