[SECURITY] Information Disclosure in Wizards
It has been possible for authenticated editors to show content of arbitrary tables and fields that are defined in TCA by manipulating GET parameters of the forms and table wizard. This change adds a check if the editor has access to the given record. Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442 Fixes: #41714 Releases: 4.5, 4.7, 6.0, 6.1, 6.2 Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072 Security-Bulletin: TYPO3-CORE-SA-2013-004 Reviewed-on: https://review.typo3.org/26221 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
Showing
- typo3/sysext/backend/Classes/Controller/Wizard/FormsController.php 33 additions, 0 deletions...ext/backend/Classes/Controller/Wizard/FormsController.php
- typo3/sysext/backend/Classes/Controller/Wizard/RteController.php 2 additions, 1 deletion...ysext/backend/Classes/Controller/Wizard/RteController.php
- typo3/sysext/backend/Classes/Controller/Wizard/TableController.php 33 additions, 0 deletions...ext/backend/Classes/Controller/Wizard/TableController.php
Please register or sign in to comment