[Typo3] SQL Injection - READ THIS PLEASE.

Peter Russ peter.russ at 4many.net
Sat Mar 5 00:01:43 CET 2005 

Michael Scharkow schrieb:

> Peter Russ wrote:
> 
>> Nope that not quite right:
>>
>> Linux is not the frame work as Apache can run under different OSes. So 
>> if you want to compare you should do it apple by apple.
> 
> 
> Come on, this is not an argument. Shall we blame Microsoft for Symantec 
> Software (which does not run under anything but Windows) being a pile of 
> crap?
> It's just third party software which is written for TYPO3. It's not a 
> TYPO3 security issue, and I highly appreciate what the sec-team has 
> done, as I would have probably only said: Not my problem, blame the 
> extension author.
> 
>> I'm just wondering again:
>> If Typo3 is interested in supporting extensions and missed to come up 
>> with a process to differentiate between experimental, alpha, beta, 
>> testing, stable and let the developer decide without QA ... Who 
>> creates the problems: the chicken or the egg?
> 
> 
> The extension review is meant for sorting out stuff in TER, not for 
> cleaning crappy extensions. It's not a certification programme that 
> extension XYZ is secure, and I don't think the review team intends to 
> guarantee that the reviewed extensions are bug free and secure.
> 
>> By the way: what is a 3rd party extension at open source? And who is 
>> debugging the core Typo3 or 2nd party products? What's about the 
>> "hidden features" of the 1st party...
> 
> 
> What is problem? Stuff in -core is maintained by the core team, the rest 
> is not. How clean can a distinction be?
> 
>> If you want developers to publish their extension at typo3.org you 
>> also have to accept the consequences if s.th. goes wrong. Or different 
>> place has to be established.
> 
> 
> Ack. But allowing extensions to TER does not mean you have to maintain 
> them. And again, there seem to have been problems with an obviously 
> misleading and impolite bugtraq pr blitz...
> 
> I think the advisory is still too defensive, it should be stated more 
> prominently that the bug is not in TYPO3 at all.
> 
> Greetings,
> Michael

Hallo Michael,

if Mercedes doesn't finish at Formula 1 who cares about 3rd party 
problems ;-). Mercedes is loosing confidence.

My concern is how bugs are handled at the moment. Situation could have 
been much more relaxed if there would have been an announcement: 
"Uninstall that extension. We are investigating".

That's pretty simple. If you run several servers based on Typo3 and has 
no exact idea which extension causes the problems you might be in 
trouble when you got attacked.

But now we've learnt that's not enough to subscribe to English NG or dev 
or German but the realy important seems to be announcement. IMHO this 
policy has to be challenged. Or do we really want to read about Typo3 
based vulnerabilities in other places?

Finally if it was just a press hipe from a guy attracking all the 
attention OR if he is right claiming that he informed "Typo3" a 
fortnight ago has to be discussed. Perhaps in a different or new NG.

So let us volunteer the security team to get challenges efficiently handled!


Regs. Peter.
_____________________________
4Many Services
http://www.4many.net              http://www.4dfx.de

Kundenserver/Customer server
http://www.typo3-server.net

More information about the TYPO3-english mailing list