[Typo3] SQL Injection

Peter Russ peter.russ at 4many.net
Fri Mar 4 10:42:37 CET 2005 

JoH schrieb:

>>>The list is a closed (restricted) one. Just some people are one it.
>>>It isn't good
>>>to have to many people knowing of security leaks. Some could do bad
>>>things.
>>
>>Oh, yes. It's far better to leave the hundreds of TYPO3 admins
>>uninformed and have their sites broken in. I see you're adhering to
>>the well-established Microsoft security policy.
>>
>>I fully agree to what Peter wrote, that we need a professional
>>security handling:
>>
>>1. Announce the vulnerability in public without the details, so I may
>>shut down the Extension or react in other appropriate ways.
>>
>>2. Post the full disclosure to the closed security list and the
>>maintainer of the code who then *quickly* fix this and release a
>>public security advisory.
>>
>>Please no more blackboxes or "forward this privately to XXX"!
> 
> 
> Well, guys - the only professional way to handle security related things is:
> Only people you can trust should be informed about vulnerabilities and other
> security holes _as long as there is no fix_ for such a problem.
> This has nothing to do with the camouflage behaviour of MS, where security
> holes are known and _not_ fixed for a very long time, it simply doesn't make
> any sense to go out on the street and cry out loud: Hey folks! My door lock
> is broken!! Is there anybody who can fix it before the bad guys are
> coming?!? And please, folks, if you have got the same doors, replace them
> with something else or wall up the entrance! - Believe me, the bad guys will
> always be one step ahead, even without knowing the details about the lock.
> 
> And if you should only inform people you can trust, the way to inform them
> is surely _not_ a NG that can be read by almost everybody but a simple
> maling list with a few registered people.
> Anything else is IMHO more than naive behaviour ...
> 
> There is only one possible situation where you are forced to make it public:
> When somebody else is standing on the street crying out, what he knows about
> your door locks.
> 
> Joey
> 
> 

This just happened: a few weeks ago a guy asking where to post (Kaspar 
send me... ). And now this:

[quote]
Two week ago I found a SQL Inejetion vulnerabilitie in Typo3 (in the
links-section/module/whatever you call it).
I didn't really try to develope an exploit because I thought typo3 would
directly react.
But unfortunately that didn't happen :/
[/quote]

I don't care whom YOU trust. BUT there are a lot of Typo3 admins out 
there and it would be better to get them informed. As the door is broken...


Regs. Peter.
_____________________________
4Many Services
http://www.4many.net              http://www.4dfx.de

Kundenserver/Customer server
http://www.typo3-server.net

More information about the TYPO3-english mailing list