Typo3 composer.json Exposure

What is the "Typo3 composer.json Exposure?"

The "Typo3 composer.json Exposure" module is designed to detect a misconfiguration in Typo3 CMS. It targets the composer.json file, which is a configuration file used by Typo3 to manage dependencies and packages. This module scans for the presence of sensitive information in the composer.json file, which could potentially lead to the disclosure of sensitive information about the web application. The severity of this vulnerability is classified as low.

This module was authored by 0x_Akoko.

Impact

If the composer.json file is exposed, it may allow an attacker to gain insights into the web application's dependencies, packages, and potentially sensitive information. This information could be used to exploit vulnerabilities or gain unauthorized access to the system.

How does the module work?

The "Typo3 composer.json Exposure" module works by sending an HTTP GET request to the "/typo3/sysext/install/composer.json" path. It then applies matching conditions to determine if the misconfiguration is present.

The matching conditions for this module are:

- The response body must contain the following words: "The Install Tool mounted as the module Tools>Install in TYPO3." and "typo3-cms-framework". - The HTTP response status code must be 200.

If both matching conditions are met, the module will report a vulnerability.

Example HTTP request:

GET /typo3/sysext/install/composer.json

For more information, refer to the Typo3 CMS Changelog.