[Typo3-dev] Possible vulnerability in Typo3 (including 3.7)
Kasper Skårhøj
kasper2005 at typo3.com
Mon Feb 7 18:44:15 CET 2005
You can address me directly if you want.
- kasper
On Mon, 2005-02-07 at 18:36, Peter Stamfest wrote:
> Hello Typo3 developers.
>
> [Sorry for this bold introduction, but I have been able to use this
> technique to send spam, so I think it is a real issue.]
>
> Synopsis:
>
> A possible vulnerability in Typo3 exists, leading to information
> leakages. It might be often exploitable to send SPAM through a Typo3
> installation. A quick google search did not show anything with respect to
> the problem, so it might be new.
>
> Disclaimer:
>
> I have never set up a Typo3 server myself, but I have demonstrated this
> technique in real life. I have checked the source code of version 3.7 of
> Typo3 and it has the same code as the version I demonstrated this against.
> Maybe I'm completly wrong with my analysis, but the chance is there that I
> am not. If I am wrong then I'm sorry to waste your time.
>
> Detailed Informatiom:
>
> I will not fully disclose the problem here. However, I am willing to
> discuss this matter with those that can make changes to the source
> off-list (that is: those with CVS write-access as SF). Once this has been
> resolved, I plan to send this to bugtraq.
>
> peter
>
> _________________________________________________________________________
> Dipl.-Ing. Peter Stamfest UNIX, Networking & Computing Consultant
> Tel: +43/699/10711205 Software Development - Internetservices
> E-Mail: peter at stamfest.at WWW: http://stamfest.at/
>
> _______________________________________________
> Typo3-dev mailing list
> Typo3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
--
- kasper
*******************
Happy new year! - My email address is now:
kasper2005 at typo3.com
More information about the TYPO3-dev
mailing list