[Typo3] SQL Injection - READ THIS PLEASE.
Michael Scharkow
mscharkow at gmx.net
Sat Mar 5 00:38:45 CET 2005
Peter Russ wrote:
> My concern is how bugs are handled at the moment. Situation could have
> been much more relaxed if there would have been an announcement:
> "Uninstall that extension. We are investigating".
I'm still undecided on whether this is the right thing todo. What if
there isn't a vulnerability and people take down an extension used in
production. There will be complaints in any case.
> That's pretty simple. If you run several servers based on Typo3 and has
> no exact idea which extension causes the problems you might be in
> trouble when you got attacked.
Agreed, this is an issue for me, too.
> But now we've learnt that's not enough to subscribe to English NG or dev
> or German but the realy important seems to be announcement. IMHO this
> policy has to be challenged. Or do we really want to read about Typo3
> based vulnerabilities in other places?
There have been crossposts here, and I expect there will be in the
future because it's important enough to be worth the extra traffic.
> Finally if it was just a press hipe from a guy attracking all the
> attention OR if he is right claiming that he informed "Typo3" a
> fortnight ago has to be discussed. Perhaps in a different or new NG.
Well, I got the information from stucki whom I trust a lot more than a
guy who obviously does not know or care about the bug being not in TYPO3
code...
> So let us volunteer the security team to get challenges efficiently
> handled!
Yep, I think I'll ask to join them as soon as I get back from modem-only
vacation...
Greetings,
Michael
More information about the TYPO3-english
mailing list