[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050304095416.10596.qmail@www.securityfocus.com>
Date: 4 Mar 2005 09:54:16 -0000
From: Michael Stucki <michael@...o3.org>
To: bugtraq@...urityfocus.com
Subject: Re: TYPO3 SQL Injection vunerabilitie
In-Reply-To: <20050303170830.16705.qmail@....securityfocus.com>
Hello Fabian,
(repost because posting through GMANE appears not to
work!)
> Two week ago I found a SQL Inejetion vulnerabilitie
in Typo3 (in the
> links-section/module/whatever you call it). I
didn't really try to
> develope an exploit because I thought typo3 would
directly react. But
> unfortunately that didn't happen :/
>
> So here is the url that "exploits" the
vulnerabilitie in a friendly way ;)
As far as I know, this information should not go to a
public mailing list
until the developers got some time to fix that
problem.
Just think about the panic this will cause if you
announce how to exploit
that bug when there was no patch available since the
maintainers of TYPO3
had not been warned before...!
Anyway, in this specific case it's not such a big
problem because the bug
must have been caused by a 3rd party plugin
(=extension) to TYPO3.
Since there are more than 1000 extensions in our
repository you are kindly
invited to contact me off this list to find out where
it is caused and fix
that problem.
With kind regards
- michael
Powered by blists - more mailing lists