8.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-8h4m-r4wm-xj7r

EPSS Score

CWE

CWE-434

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-8h4m-r4wm-xj7r

GHSA-8h4m-r4wm-xj7r: TYPO3 Arbitrary Code Execution via File List Module

Due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’], backend users are allowed to upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups. A valid backend user account is needed in order to exploit this vulnerability.

Derivatives of Debian GNU Linux are handling *.phar files as PHP applications since PHP 7.1 (for unofficial packages) and PHP 7.2 (for official packages).

The file extension *.shtml is bound to server side includes which are not enabled per default in most common Linux based distributions. File extension *.pl and *.cgi require additional handlers to be configured which is also not the case in most common distributions (except for /cgi-bin/ location).

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-8h4m-r4wm-xj7r

EPSS Score

CWE

CWE-434

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms	composer	>= 8.0.0, < 8.7.23	8.7.23
typo3/cms	composer	>= 9.0.0, < 9.5.4	9.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an incomplete file deny pattern in TYPO3's configuration. The SystemEnvironmentBuilder::defineBaseConstants() method is directly responsible for setting the FILE_DENY_PATTERN_DEFAULT constant, which governs restricted file types. The commit patching this vulnerability explicitly modifies this function to add the missing extensions. Since this function controls the security-critical deny pattern configuration, its outdated implementation in vulnerable versions is the root cause enabling unsafe file uploads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to missin* *il* *xt*nsions in $*LO**LS['TYPO*_*ON*_V*RS']['**'][‘*il***nyP*tt*rn’], ***k*n* us*rs *r* *llow** to uplo** *.p**r, *.s*tml, *.pl or *.**i *il*s w*i** **n ** *x**ut** in **rt*in w** s*rv*r s*tups. * v*li* ***k*n* us*r ***ount is n****

Reasoning

T** vuln*r**ility st*ms *rom *n in*ompl*t* *il* **ny p*tt*rn in TYPO*'s *on*i*ur*tion. T** Syst*m*nvironm*nt*uil**r::***in***s**onst*nts() m*t*o* is *ir**tly r*sponsi*l* *or s*ttin* t** *IL*_**NY_P*TT*RN_****ULT *onst*nt, w*i** *ov*rns r*stri*t** *il

8.8

Basic Information

Concerned about an active attack path?

GHSA-8h4m-r4wm-xj7r: TYPO3 Arbitrary Code Execution via File List Module

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI