[Typo3] SQL Injection

Peter Russ peter.russ at 4many.net
Fri Mar 4 09:42:02 CET 2005

Ekkehard Gümbel schrieb:

> Ries,
> that's not your fault for sure. We are going to have some place on 
> typo3.org shortly where everybody can place questions or clues regarding 
> presumed security issues. I think that would have helped :-)
> thx
> /Ekki
> Ries van Twisk schrieb:
>> Bernard,
>> I am not a member of that list... nor that I even knew (forgot...) 
>> that it existed,
>> But in any case... I didn't wrote down how.
>>> All after all this notice should have gone to the security mailinglist
>>> at typo3-project-security at lists.netfielders.de
>>> It is not good to have such things public ...

I'm just wondering how security issues are handled at the moment at 
Typo3. If there is an alert in other software e.g. MySql or IM or PHP 
messages are reposted that can be found everywhere.

BUT if there are hints that there are security problems in Typo3 the 
only reaction I can see is either Kasper "please forward this 
information directly to me" or "we will have a big black box" and only 
Yedi Knights get the information how to solve possible problems.

IMHO if there is a problem the only responsible reaction would be "turn 
of this ..." or "check that...". It's not necessary to explain in detail 
how the infection/bug attacks. But it would help to solve problems.

So I'm not concerned about the guy carrying vulnerabilities to the 
public not posting to the big black box as this "is not the offical way 
how we would like to get informed". How many are there knowing about 
weaknesses and just using their knowledge?

I would like to see that this kind of problems could be handled in a 
professional manner. Why do you try to follow big MS and outperform how 
they handle their vulnerabilites ;-)

Regs. Peter.
4Many Services
http://www.4many.net              http://www.4dfx.de

Kundenserver/Customer server

More information about the TYPO3-english mailing list