[Typo3] SQL Injection

[Michael Scharkow]

Kraft Bernhard wrote:

> The list is a closed (restricted) one. Just some people are one it. It 
> isn't good
> to have to many people knowing of security leaks. Some could do bad things.

Oh, yes. It's far better to leave the hundreds of TYPO3 admins 
uninformed and have their sites broken in. I see you're adhering to the 
well-established Microsoft security policy.

I fully agree to what Peter wrote, that we need a professional security 
handling:

1. Announce the vulnerability in public without the details, so I may 
shut down the Extension or react in other appropriate ways.

2. Post the full disclosure to the closed security list and the 
maintainer of the code who then *quickly* fix this and release a public 
security advisory.

Please no more blackboxes or "forward this privately to XXX"!

Greetings,
Michael