[SECURITY] Information Disclosure in the Configuration Module
authorMario Rimann <mario.rimann@typo3.org>
Wed, 15 Aug 2012 10:18:35 +0000 (12:18 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:18:38 +0000 (12:18 +0200)
The configuration module showed the encryption key as plaintext.
For this view, the encryption key is masked and it's length is
shown instead, e.g. "***** (length: 96 characters)"

Change-Id: I8ed5ee014f686fdf8ff527c0b569218c51a9bcaa
Fixes: #39345
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 585cf4f52ff4e946f31371f4cb6fde33d398d4d4
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13748
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/lowlevel/config/index.php

index e8a3b05..2b62a48 100755 (executable)
@@ -240,6 +240,12 @@ class SC_mod_tools_config_index {
                        $arrayBrowser->depthKeys=$arrayBrowser->getSearchKeys($theVar, '',      $search_field, array());
                }
 
+                       // mask the encryption key to not show it as plaintext in the configuration module
+               if ($theVar == $GLOBALS['TYPO3_CONF_VARS']) {
+                       $theVar['SYS']['encryptionKey'] = '***** (length: ' .
+                               strlen($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) . ' characters)';
+               }
+
                $tree = $arrayBrowser->tree($theVar, '', '');
 
                $label = $this->MOD_MENU['function'][$this->MOD_SETTINGS['function']];