Bugtraq mailing list archives
Re: TYPO3 SQL Injection vunerabilitie
From: Michael Stucki <michael () typo3 org>
Date: 4 Mar 2005 09:54:16 -0000
In-Reply-To: <20050303170830.16705.qmail () www securityfocus com> Hello Fabian, (repost because posting through GMANE appears not to work!)
Two week ago I found a SQL Inejetion vulnerabilitie
in Typo3 (in the
links-section/module/whatever you call it). I
didn't really try to
develope an exploit because I thought typo3 would
directly react. But
unfortunately that didn't happen :/ So here is the url that "exploits" the
vulnerabilitie in a friendly way ;) As far as I know, this information should not go to a public mailing list until the developers got some time to fix that problem. Just think about the panic this will cause if you announce how to exploit that bug when there was no patch available since the maintainers of TYPO3 had not been warned before...! Anyway, in this specific case it's not such a big problem because the bug must have been caused by a 3rd party plugin (=extension) to TYPO3. Since there are more than 1000 extensions in our repository you are kindly invited to contact me off this list to find out where it is caused and fix that problem. With kind regards - michael
Current thread:
- TYPO3 SQL Injection vunerabilitie Fabian Becker (Mar 03)
- Re: TYPO3 SQL Injection vunerabilitie Sebastian Wolfgarten (Mar 03)
- RE: TYPO3 SQL Injection vunerabilitie GulfTech Security Research (Mar 04)
- Re: TYPO3 SQL Injection vunerabilitie Michael Shigorin (Mar 04)
- Re: TYPO3 3rd party extension (cmw_linklist) SQL Injection vunerability Michael Shigorin (Mar 04)
- <Possible follow-ups>
- Re: TYPO3 SQL Injection vunerabilitie Dennis Shewmaker (Mar 03)
- Re: TYPO3 SQL Injection vunerabilitie Michael Stucki (Mar 04)
- Re: TYPO3 SQL Injection vunerabilitie Karsten Dambekalns (Mar 04)
- Re: TYPO3 SQL Injection vunerabilitie Sebastian Wolfgarten (Mar 03)