[Typo3] SQL Injection - READ THIS PLEASE.

[Michael Scharkow]

Peter Russ wrote:

> Nope that not quite right:
> 
> Linux is not the frame work as Apache can run under different OSes. So 
> if you want to compare you should do it apple by apple.

Come on, this is not an argument. Shall we blame Microsoft for Symantec 
Software (which does not run under anything but Windows) being a pile of 
crap?
It's just third party software which is written for TYPO3. It's not a 
TYPO3 security issue, and I highly appreciate what the sec-team has 
done, as I would have probably only said: Not my problem, blame the 
extension author.

> I'm just wondering again:
> If Typo3 is interested in supporting extensions and missed to come up 
> with a process to differentiate between experimental, alpha, beta, 
> testing, stable and let the developer decide without QA ... Who creates 
> the problems: the chicken or the egg?

The extension review is meant for sorting out stuff in TER, not for 
cleaning crappy extensions. It's not a certification programme that 
extension XYZ is secure, and I don't think the review team intends to 
guarantee that the reviewed extensions are bug free and secure.

> By the way: what is a 3rd party extension at open source? And who is 
> debugging the core Typo3 or 2nd party products? What's about the "hidden 
> features" of the 1st party...

What is problem? Stuff in -core is maintained by the core team, the rest 
is not. How clean can a distinction be?

> If you want developers to publish their extension at typo3.org you also 
> have to accept the consequences if s.th. goes wrong. Or different place 
> has to be established.

Ack. But allowing extensions to TER does not mean you have to maintain 
them. And again, there seem to have been problems with an obviously 
misleading and impolite bugtraq pr blitz...

I think the advisory is still too defensive, it should be stated more 
prominently that the bug is not in TYPO3 at all.

Greetings,
Michael