Re: TYPO3 SQL Injection vunerabilitie

From: Michael Shigorin (mike_at_osdn.org.ua)
Date: 03/04/05

  • Next message: Filip Groszynski: "PHP Form Mail Script (2.3) - Arbitrary File Inclusion (VXSfx)"
    Date: Fri, 4 Mar 2005 18:45:33 +0200
    To: bugtraq@securityfocus.com
    
    
    

    On Fri, Mar 04, 2005 at 12:06:37AM +0100, Sebastian Wolfgarten wrote:
    > I am pretty sure Fabian (Neonomicus) meant *every link* (or
    > site) generated by Typo3, didn't he?

    Even if he did, it would be just as incorrect as the original
    Subject.

    > @Fabian (Neonomicus): Could you please provide more details
    > about the vulnerability you've discoveredl? By the way did you
    > give the Typo3 guys *enough* time to respond???

    Most likely it was some weird way of contacting them in the
    first place: posting the message to BTS resulted in an updated
    extension version being published within some 5 hours, security
    announce on the website ("Severity: high") and a reminder on
    contact address (typo3-project-security>lists.netfielders.de).

    PS: when choosing "the next CMS", one of our considerations was
    virtually empty bugtraq coverage (with the code being public
    since 2000 and used on quite a few sites). Go figure :-)

    -- 
     ---- WBR, Michael Shigorin <mike@altlinux.ru>
      ------ Linux.Kiev http://www.linux.kiev.ua/
    
    



  • Next message: Filip Groszynski: "PHP Form Mail Script (2.3) - Arbitrary File Inclusion (VXSfx)"