CVE-2010-5099

TYPO3 <4.2.16, 4.3.9, 4.4.5 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-5099. PoCs published by ikki.

AI-analyzed exploit summary This exploit leverages a non-typesafe comparison flaw (CVE-2010-3714) and a fileDenyPattern bypass in TYPO3 to retrieve arbitrary files without authentication. It first discloses the encryption key and then allows file retrieval via crafted requests.

Description

The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.

Exploits (1)

exploitdb WORKING POC

by ikki · phpwebappsphp

https://www.exploit-db.com/exploits/15856

View Code ZIP pw:eip

This exploit leverages a non-typesafe comparison flaw (CVE-2010-3714) and a fileDenyPattern bypass in TYPO3 to retrieve arbitrary files without authentication. It first discloses the encryption key and then allows file retrieval via crafted requests.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: TYPO3 versions 4.2.15, 4.3.7, or 4.4.4

No auth needed

Prerequisites: Vulnerable TYPO3 installation · Network access to the target

MITRE ATT&CK