[SECURITY] Information disclosure showing DB name
authorGeorg Ringer <mail@ringerge.org>
Wed, 28 Mar 2012 11:56:49 +0000 (13:56 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:56:52 +0000 (13:56 +0200)
By accessing a cli script in the frontend, it is possible
that the DB name is shown.

Change-Id: Iac35d41ec7953fe14311b3bb619cc137389566fc
Fixes: #29060
Releases: 6.0, 4.7, 4.6, 4.5, 4.4
Security-Review: http://review.typo3.org/9936
Security-Commit: 4953abf5d8e3c5eeeb60f5a8dcd919985f063ab3
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10037
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_beuserauth.php

index 8cec43e..410ec4e 100644 (file)
@@ -218,7 +218,7 @@ class t3lib_beUserAuth extends t3lib_userAuthGroup {
                                                        exit(3);
                                                }
                                        } else {
-                                               fwrite(STDERR, 'ERROR: No backend user named "' . $userName . '" was found! [Database: ' . TYPO3_db . ']' . LF . LF);
+                                               fwrite(STDERR, 'ERROR: No backend user named "' . $userName . '" was found!' . LF . LF);
                                                exit(3);
                                        }
                                } else {