TYPO3 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker direclty requests the 'tslib/showpic.php' script, which will result in a failure to access certain include files. This will disclose the software's installation path in an error message, resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Currently, there are no known workarounds or upgrades to correct this issue. However, TYPO3 has released a patch to address this vulnerability.

• Secunia Advisory ID: 18546
• SCIP VulDB ID: 1996
• CVE ID: 2006-0327 (see also: NVD)
• Related OSVDB ID: 22665 22667
• VUPEN Advisory: ADV-2006-0269
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0334.html
• Vendor Specific News/Changelog Entry: http://bugs.typo3.org/view.php?id=2248
• Other Advisory URL: http://www.irmplc.com/advisory015.htm [ Link is 404 ]
  http://www.irmplc.com/index.php/126-Advisory-015
• Keyword: IRM Security Advisory No. 015

• Rodrigo Marcos - advisoriesirmplc.com - Information Risk Management