lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050304095416.10596.qmail@www.securityfocus.com>
Date: 4 Mar 2005 09:54:16 -0000
From: Michael Stucki <michael@...o3.org>
To: bugtraq@...urityfocus.com
Subject: Re: TYPO3 SQL Injection vunerabilitie


In-Reply-To: <20050303170830.16705.qmail@....securityfocus.com>

Hello Fabian, 
 
(repost because posting through GMANE appears not to 
work!) 
 
> Two week ago I found a SQL Inejetion vulnerabilitie 
in Typo3 (in the 
> links-section/module/whatever you call it). I 
didn't really try to 
> develope an exploit because I thought typo3 would 
directly react. But 
> unfortunately that didn't happen :/ 
>  
> So here is the url that "exploits" the 
vulnerabilitie in a friendly way ;) 
 
As far as I know, this information should not go to a 
public mailing list 
until the developers got some time to fix that 
problem. 
 
Just think about the panic this will cause if you 
announce how to exploit 
that bug when there was no patch available since the 
maintainers of TYPO3 
had not been warned before...! 
 
Anyway, in this specific case it's not such a big 
problem because the bug 
must have been caused by a 3rd party plugin 
(=extension) to TYPO3. 
 
Since there are more than 1000 extensions in our 
repository you are kindly 
invited to contact me off this list to find out where 
it is caused and fix 
that problem. 
 
With kind regards 
- michael 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ