CVE-2006-0327
Description
TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
Root cause
"The vulnerable files fail to include `init.php` and locally compute path constants that become incorrect under CGI/FastCGI SAPI, causing `require()` to fail and leak the filesystem path in the error message."
Attack vector
An unauthenticated remote attacker requests one of the vulnerable files directly (e.g., `/typo3/t3lib/thumbs.php`). Because the file does not include `init.php`, it computes `PATH_thisScript` locally using server variables that may be unreliable under CGI/FastCGI SAPI configurations, resulting in wrong path constants. When a subsequent `require()` call uses these constants, PHP emits an error message that reveals the filesystem path [ref_id=1].
Affected code
The vulnerability affects three files: `t3lib/thumbs.php`, `tslib/showpic.php`, and `t3lib/stddb/tables.php`. These files fail to include `init.php` and instead locally compute the `PATH_thisScript` constant, leading to incorrect values for `PATH_t3lib` and `PATH_tslib` [ref_id=1].
What the fix does
The advisory states that a patch was published on the TYPO3 bug tracker (http://bugs.typo3.org/view.php?id=2248) on January 14, 2006, but the patch content is not included in this bundle [ref_id=1]. The fix presumably ensures the vulnerable files properly include `init.php` or otherwise compute path constants correctly so that `require()` calls do not fail and leak the filesystem path.
Preconditions
- configThe server must be running PHP under a CGI/FastCGI SAPI where `PATH_TRANSLATED` or `ORIG_PATH_TRANSLATED` may differ from the actual script path.
- configPHP's `display_errors` must be enabled so that the failed `require()` error message is shown to the attacker.
- authNo authentication is required; the attacker can make a direct HTTP request to the vulnerable files.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- www.irmplc.com/advisory015.htmnvdExploitVendor Advisory
- secunia.com/advisories/18546nvdVendor Advisory
- bugs.typo3.org/view.phpnvd
- securityreason.com/securityalert/361nvd
- www.osvdb.org/22665nvd
- www.osvdb.org/22666nvd
- www.osvdb.org/22667nvd
- www.securityfocus.com/archive/1/422360/100/0/threadednvd
- www.securityfocus.com/archive/1/422390/100/0/threadednvd
- www.vupen.com/english/advisories/2006/0269nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24244nvd
News mentions
0No linked articles in our index yet.