[SECURITY] Information Disclosure in the Configuration Module
authorMario Rimann <mario.rimann@typo3.org>
Wed, 15 Aug 2012 10:17:29 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:17:32 +0000 (12:17 +0200)
The configuration module showed the encryption key as plaintext.
For this view, the encryption key is masked and it's length is
shown instead, e.g. "***** (length: 96 characters)"

Change-Id: Id9561ca6c5812fb9bd6c177896a27854e8f0cdb4
Fixes: #39345
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 0e61891d3f872437729d2d5a2d976669e38bd938
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13738
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/lowlevel/config/index.php

index f71ad62..f91fdb4 100755 (executable)
@@ -256,6 +256,12 @@ class SC_mod_tools_config_index {
                        $arrayBrowser->depthKeys=$arrayBrowser->getSearchKeys($theVar, '',      $search_field, array());
                }
 
+                       // mask the encryption key to not show it as plaintext in the configuration module
+               if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
+                       $theVar['SYS']['encryptionKey'] = '***** (length: ' .
+                               strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+               }
+
                $tree = $arrayBrowser->tree($theVar, '', '');
 
                $label = $this->MOD_MENU['function'][$this->MOD_SETTINGS['function']];