<<< Date Index >>>     <<< Thread Index >>>

Re: TYPO3 SQL Injection vunerabilitie



In-Reply-To: <20050303170830.16705.qmail@xxxxxxxxxxxxxxxxxxxxx>

Hello Fabian, 
 
(repost because posting through GMANE appears not to 
work!) 
 
> Two week ago I found a SQL Inejetion vulnerabilitie 
in Typo3 (in the 
> links-section/module/whatever you call it). I 
didn't really try to 
> develope an exploit because I thought typo3 would 
directly react. But 
> unfortunately that didn't happen :/ 
>  
> So here is the url that "exploits" the 
vulnerabilitie in a friendly way ;) 
 
As far as I know, this information should not go to a 
public mailing list 
until the developers got some time to fix that 
problem. 
 
Just think about the panic this will cause if you 
announce how to exploit 
that bug when there was no patch available since the 
maintainers of TYPO3 
had not been warned before...! 
 
Anyway, in this specific case it's not such a big 
problem because the bug 
must have been caused by a 3rd party plugin 
(=extension) to TYPO3. 
 
Since there are more than 1000 extensions in our 
repository you are kindly 
invited to contact me off this list to find out where 
it is caused and fix 
that problem. 
 
With kind regards 
- michael