html/typo3conf/ext/ter/class.tx_ter_helper.php · ad6454dbc1e0de61ccda0066f6307be7e297f51d · services / t3o sites / extensions.typo3.org / extensions.typo3.org

Sep 01, 2017

[SECURITY] Fix unauthorized SOAP access · 0ecc7fc6

Helmut Hummel authored Sep 01, 2017

By having an inverted condition, attackers
could upload arbitrary extensions by only knowing
the username and the extension key.

When knowing a username of a TER admin,
it was also possible to perform TER admin
commands (like deleting extensions) via SOAP

0ecc7fc6

[SECURITY] Fix unauthorized SOAP access

Helmut Hummel authored Sep 01, 2017

By having an inverted condition, attackers
could upload arbitrary extensions by only knowing
the username and the extension key.

When knowing a username of a TER admin,
it was also possible to perform TER admin
commands (like deleting extensions) via SOAP