TYPO3 CMS Path Validation Vulnerability in GeneralUtility Allowing Access to Arbitrary Directories

A broken access control vulnerability has been identified in TYPO3 CMS within the GeneralUtility component. The issue arises from the path validation method 'isAllowedAbsPath()', which performed a simple string prefix check without enforcing a directory separator boundary. This flaw allowed paths like '/var/www/html-other/secret.yaml' to be mistakenly recognized as valid when the project root was set to '/var/www/html'. As a result, administrators with access to the File Abstraction Layer could create file storage definitions pointing to directories outside the project root, effectively bypassing the intended path restrictions. This vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the designated project directory, potentially allowing for the manipulation or exposure of sensitive information.

Reproduction

To reproduce this vulnerability, an administrator must create a file storage definition that points to a directory outside the project root. This can be done by specifying a path that is adjacent to the project root directory but not within it, such as '/var/www/html-other/'. The path will be incorrectly accepted as valid, allowing access to files in that directory.

Remediation

Users are advised to update TYPO3 to versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS or 14.3.3 LTS, all of which address this vulnerability.