[Typo3-dev] sql injection problem?
Axel Burkhardt
burgi at burgi.de
Fri Mar 4 10:18:15 CET 2005
This morning a guy called "Fabian Becker" (neonomicus at gmx.de) posted the
following mail in the bugtraq mailinglist. He claimes, that he found a
SQL injection problem in typo3. His "example" is absolutly insignificant
and I can't reproduce the problem (at least I don't even get the point).
But it was posted on a public mailinglist - so we have to care.
> Hello Bugtraq :)
> Two week ago I found a SQL Inejetion vulnerabilitie in Typo3 (in the links-section/module/whatever you call it).
> I didn't really try to develope an exploit because I thought typo3 would directly react.
> But unfortunately that didn't happen :/
>
> So here is the url that "exploits" the vulnerabilitie in a friendly way ;)
>
> http://[UrlToLinksSection]?&no_cache=1&action=getviewcategory&category_uid=1%20or%201=1
>
> Maybe someone will find a way to exploit this one in a maliceous way so get typo3 to update it's software!
>
> C ya
> Neonomicus :)
>
> Greets go out to:
> Visus, Data-Storm-Industries-crew, Feanor, juck, the orkut-community :D, everybody I forgot ^^
>
> Visit me at http://data-storm.com :)
More information about the TYPO3-dev
mailing list