I do not understand the security patch from last week: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-022/ . I have an old installation of TYPO3 6.2. I truncated all the cf_ * tables and opened pages with UID 2-6. No. As a result, I see 13 cf_cache_hash entries. Now I opened the details page from the list page in the interface. I see some parameters in the URL, such as the action, the controller, the UID of the currently displayed entry, and the reason for cHash. Then I copied these parameters (excluding id = x) to the URL of my pages 2-6. I have 13 more entries in cf_cache_hash. Thus, there is no cache fill.
Or how should I interpret this quote:
Links with a valid CHash argument lead to the newly created record page cache. Since cHash is not tied to a specific page, attackers can use valid CHash arguments for multiple pages, which results in additional unnecessary page cache entries.
The following problem:
If extensions such as realurl are used, you need to clear their caches (and TYPO3 caches)
Could you tell me which tables I / we need to clear?
- tx_realurl_urldecodecache
- tx_realurl_urlencodecache
maybe ok. But what about tx_realurl_pathcache? Because of this, I can understand this, but what about old entries for an earlier realurl configuration? If I truncate this table, these old records are no longer valid and they were not built again. Therefore, old search results are invalid.
Question from one of our clients: is it enough to clear the system cache in the backend or click "Clear all cache in Installtool"? Nice. IMO, this is not enough, and the tables should be truncated directly to the database. Right.
Following:
This means that if such URLs are indexed by the search engine, visitors from this search engine will be on an inoperable page.
Hey, cool. And now? What is the solution? Keep it as it is? IMO depends on InstallTool installation: pageNotFoundOnCHashError. Right?
Please tell us what to do, and please add more details on how to handle this.
Stephen