Local File Disclosure - Githubissues

AOEpeople / TYPO3_Restler

restler (PHP REST-Framework) for TYPO3

GNU General Public License v3.0

30 stars 17 forks source link

Local File Disclosure #25

Closed CCrashBandicot closed 7 years ago

CCrashBandicot commented 7 years ago

Hello I'Find in the last version of restler (1.7.0) for Typo3 Vulnerability in File getsource.php

Line :

$file = $_GET['file'];
$text = file_get_contents($file);
die($file . '
```
' . htmlspecialchars($text) . "
```
");

This allow attacker read any file in website.

Proof : https://i.imgur.com/zObmaDD.png

on pictures i'read file LocalConfiguration.php LocalConfiguration.php Stores Credentials Information

srotsch commented 7 years ago

Hi @CCrashBandicot, thanks for letting us know.

On first sight, the affected file is part of some code examples shipped with the third-party restler library. We will figure out how to mitigate the issue and then release a new version.

Thanks again!

tmotyl commented 7 years ago

usually vendor folder is outside of the document root. Can you tell what is the full url you've tried - the screenshot doesnt contain the beginning of the url

srotsch commented 7 years ago

Hej @tmotyl thanks for providing a fix that quick :-)

I felt free to cherry-pick it to the AOEpeople fork of luracast/restler, which is used here.

PR for updating the dependency is open ( https://github.com/AOEpeople/TYPO3_Restler/pull/26 ), @tomasnorre and @vdespa are also in the loop.