Description
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.
References (10)
Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/29657
Various Sources x_refsource_confirm
http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/30619
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/493270/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42988
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2008/dsa-1596
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/1802
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/30660
Various Sources x_refsource_confirm
http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/3945
Scores
EPSS
0.0021
EPSS Percentile
43.8%
Details
CWE
CWE-264
Status
published
Products (19)
apache/apache_webserver
typo3/cms-core
4.0.0 - 4.0.9Packagist
typo3/typo3
4.0
typo3/typo3
4.0.1
typo3/typo3
4.0.2
typo3/typo3
4.0.3
typo3/typo3
4.0.4
typo3/typo3
4.0.5
typo3/typo3
4.0.6
typo3/typo3
4.0.7
... and 9 more
Published
Jun 16, 2008
Tracked Since
Feb 18, 2026