security message after upgrade to 9.5.17

Question

after upgrading to 9.5.17 i get in the reports the following security messages:

Server Response on static files:

www.mydomain.de/typo3temp/assets/43cd7f07.tmp/2500f854.html.wrong
   unexpected content-type text/html
www.mydomain.de/typo3temp/assets/43cd7f07.tmp/2500f854.1.svg.wrong
   unexpected content-type image/svg+xml
www.mydomain.de/typo3temp/assets/43cd7f07.tmp/2500f854.php.wrong
   unexpected content PHP content
www.mydomain.de/typo3temp/assets/43cd7f07.tmp/2500f854.php.txt
   unexpected content PHP content

what does this mean?

I inspected the folder /typo3temp/assets/ - there is no folder 43cd7f07.tmp

Thanks!

Answer 1

The error messages you are receiving are part of a security feature that has been integrated into recent TYPO3 v9.5.17 and v10.4.2 releases, see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Feature-91354-IntegrateServerResponseSecurityChecks.html

Basically it means that your current server system

• is evaluating files like test.php.txt (.php not at the end of the filename) still as PHP content - this can cause a security vulnerability in case somebody manages to upload a similar file (which might be considered as text/plain file, but is actually executable PHP code)
  • potentially remote code execution
• is serving files like test.html.wrong (.html not at the end of the filename) still as text/html which triggers the browser to execute HTML tags and potential dangerous <script> tags
  • potentially cross-site scripting

Call for action

In case this is a live and in production server, you should adjust your web server configuration.

The fix is to limit those web server mime-type mapping only to those files having e.g. .html at the very end, like shown in this example for the Apache HTTP web server

<FilesMatch ".+\.html?$">
    AddType text/html .html .htm
</FilesMatch>

Find more details and explanation in the TYPO3 security guidelines for server admins at https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/Security/GuidelinesAdministrators/Index.html#file-extension-handling

---

Update May 17th, 2020

https://gist.github.com/ohader/11d737de95895f8ca16495a8b7001c45 contains examples how to adjust an .htaccess file in case settings cannot be changed on a (shared) hosting environment.

<IfModule mod_mime.c>
    RemoveType .html .htm
    <FilesMatch ".+\.html?$">
        AddType text/html .html
        AddType text/html .htm
    </FilesMatch>

    RemoveType .svg .svgz
    <FilesMatch ".+\.svgz?$">
        AddType image/svg+xml .svg
        AddType image/svg+xml .svgz
    </FilesMatch>

    RemoveHandler .php
    <FilesMatch ".+\.php$">
        # IMPORTANT: `php-fcgid` is using in THIS example
        # Most probably is different for each individual configuration
        SetHandler php-fcgid
        # SetHandler php-script
        # SetHandler application/x-httpd-php
    </FilesMatch>
</IfModule>

Current handler identifier php-fcgid was identified for the example above using a phpinfo(); and searching for $_SERVER[REDIRECT_HANDLER]:

$_SERVER['REDIRECT_HANDLER'] php-fcgid