[Typo3-dev] Possible vulnerability in Typo3 (including 3.7)
Peter Stamfest
peter at stamfest.at
Mon Feb 7 18:36:51 CET 2005
Hello Typo3 developers.
[Sorry for this bold introduction, but I have been able to use this
technique to send spam, so I think it is a real issue.]
Synopsis:
A possible vulnerability in Typo3 exists, leading to information
leakages. It might be often exploitable to send SPAM through a Typo3
installation. A quick google search did not show anything with respect to
the problem, so it might be new.
Disclaimer:
I have never set up a Typo3 server myself, but I have demonstrated this
technique in real life. I have checked the source code of version 3.7 of
Typo3 and it has the same code as the version I demonstrated this against.
Maybe I'm completly wrong with my analysis, but the chance is there that I
am not. If I am wrong then I'm sorry to waste your time.
Detailed Informatiom:
I will not fully disclose the problem here. However, I am willing to
discuss this matter with those that can make changes to the source
off-list (that is: those with CVS write-access as SF). Once this has been
resolved, I plan to send this to bugtraq.
peter
_________________________________________________________________________
Dipl.-Ing. Peter Stamfest UNIX, Networking & Computing Consultant
Tel: +43/699/10711205 Software Development - Internetservices
E-Mail: peter at stamfest.at WWW: http://stamfest.at/
More information about the TYPO3-dev
mailing list