[Typo3] encryptionKey value comprimised! - security issue
Michael Stucki
michael at typo3.org
Wed Jul 6 22:51:47 CEST 2005
Dear Darryl,
> I have discovered that my enryptionKey is being revealed through the urls
> in indexed search results. Kind of scary!
Uhuhuuuh, a security issue!!
I'm not sure if you just wanted to make some noise or if you really didn't
think about this first. There are general "rules" on how to proceed with
security issues. Announcing them on a public mailing list is definitely not
the way to go!
If you were only a little bit serious about security, you would have found
this page very easily: http://typo3.org/teams/security/contact-us/
> A similiar situation was reported recently by Steven...
>
http://typo3.org/documentation/mailing-lists/english-main-list-archive/thread/110128386
>
> Though in my case I am still using 3.7.0 and have not yet upgraded to
> 3.8.0.
Yes and I discussed this with Steven by private mail where it turned out
that he still used the old version of indexed_search in his 3.8.0
environment.
To make it clear: The bug is fixed in TYPO3 versions 3.7.1 and later, but
you have to make sure that you don't use an old version which is installed
locally (in typo3conf/ext/, this would override the global/system ext.).
In this case it's no problem because the bug is already fixed and an upgrade
is available, but just imagine what would have happened if the issue was
true! Would this help anyone?
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-english
mailing list