[Typo3] SQL Injection
peter.russ at 4many.net
Fri Mar 4 09:42:02 CET 2005
Ekkehard Gümbel schrieb:
> that's not your fault for sure. We are going to have some place on
> typo3.org shortly where everybody can place questions or clues regarding
> presumed security issues. I think that would have helped :-)
> Ries van Twisk schrieb:
>> I am not a member of that list... nor that I even knew (forgot...)
>> that it existed,
>> But in any case... I didn't wrote down how.
>>> All after all this notice should have gone to the security mailinglist
>>> at typo3-project-security at lists.netfielders.de
>>> It is not good to have such things public ...
I'm just wondering how security issues are handled at the moment at
Typo3. If there is an alert in other software e.g. MySql or IM or PHP
messages are reposted that can be found everywhere.
BUT if there are hints that there are security problems in Typo3 the
only reaction I can see is either Kasper "please forward this
information directly to me" or "we will have a big black box" and only
Yedi Knights get the information how to solve possible problems.
IMHO if there is a problem the only responsible reaction would be "turn
of this ..." or "check that...". It's not necessary to explain in detail
how the infection/bug attacks. But it would help to solve problems.
So I'm not concerned about the guy carrying vulnerabilities to the
public not posting to the big black box as this "is not the offical way
how we would like to get informed". How many are there knowing about
weaknesses and just using their knowledge?
I would like to see that this kind of problems could be handled in a
professional manner. Why do you try to follow big MS and outperform how
they handle their vulnerabilites ;-)
More information about the TYPO3-english