[Typo3] SQL Injection

[JoH]

>> The list is a closed (restricted) one. Just some people are one it.
>> It isn't good
>> to have to many people knowing of security leaks. Some could do bad
>> things.
>
> Oh, yes. It's far better to leave the hundreds of TYPO3 admins
> uninformed and have their sites broken in. I see you're adhering to
> the well-established Microsoft security policy.
>
> I fully agree to what Peter wrote, that we need a professional
> security handling:
>
> 1. Announce the vulnerability in public without the details, so I may
> shut down the Extension or react in other appropriate ways.
>
> 2. Post the full disclosure to the closed security list and the
> maintainer of the code who then *quickly* fix this and release a
> public security advisory.
>
> Please no more blackboxes or "forward this privately to XXX"!

Well, guys - the only professional way to handle security related things is:
Only people you can trust should be informed about vulnerabilities and other
security holes _as long as there is no fix_ for such a problem.
This has nothing to do with the camouflage behaviour of MS, where security
holes are known and _not_ fixed for a very long time, it simply doesn't make
any sense to go out on the street and cry out loud: Hey folks! My door lock
is broken!! Is there anybody who can fix it before the bad guys are
coming?!? And please, folks, if you have got the same doors, replace them
with something else or wall up the entrance! - Believe me, the bad guys will
always be one step ahead, even without knowing the details about the lock.

And if you should only inform people you can trust, the way to inform them
is surely _not_ a NG that can be read by almost everybody but a simple
maling list with a few registered people.
Anything else is IMHO more than naive behaviour ...

There is only one possible situation where you are forced to make it public:
When somebody else is standing on the street crying out, what he knows about
your door locks.

Joey