RSS 2.0
RSS 0.91
ATOM 0.3
October 6, 2010

New limitations in jumpUrl feature

Category: Security

By: Marcus Krause

While fixing a vulnerability in the jumpurl feature, some restrictions have been additionally created.

While fixing a vulnerability in jumpurl feature, covered by TYPO3-SA-2010-020, the TYPO3 Core Team and TYPO3 Security Team has added further restrictions. If at all, only rare environments will be hit by them.

In detail:

  • access to files beyond PATH_site (the TYPO3 installation root) and setting $TYPO3_CONF_VARS['BE']['lockRootPath'] is generally denied
  • the calculations of juHash for an integrity check is no longer done with t3lib_div::shortMD5() but with the already existing dedicated function t3lib_div::hmac()

So if in your installations jumpurl stops working, please check above mentioned limitations. If you consider one of the limitations too restrictive, please file a bug report and we might consider further rework on them.

Thank you for your understanding.


comment #1
Gravatar: Steffen Müller Steffen Müller October 9, 2010 12:53
Thanks to the security team for their efforts. Great work.

One things bugs me:
It seems the description of the jumpUrl issue has been removed from the bug report #15898.
I don't like this practice of obscurity. The patch is public anyway so blackhats can find out how to exploit. So why hold the description?

comment #2
Gravatar: Marcus Marcus October 10, 2010 09:44
This is not "security by obscurity". The vulnerability has been fixed by the given patches.
A detailed description of this vulnerability has been removed to give TYPO3 users enough time to update. We expect that this procedure increases the timespan between advisory and the availability of exploit code.

Thank you for your understanding.

Sorry, comments are closed for this post.