[Typo3] SQL Injection - READ THIS PLEASE.

Michael Scharkow mscharkow at gmx.net
Sat Mar 5 00:38:45 CET 2005

Peter Russ wrote:

> My concern is how bugs are handled at the moment. Situation could have 
> been much more relaxed if there would have been an announcement: 
> "Uninstall that extension. We are investigating".

I'm still undecided on whether this is the right thing todo. What if 
there isn't a vulnerability and people take down an extension used in 
production. There will be complaints in any case.

> That's pretty simple. If you run several servers based on Typo3 and has 
> no exact idea which extension causes the problems you might be in 
> trouble when you got attacked.

Agreed, this is an issue for me, too.

> But now we've learnt that's not enough to subscribe to English NG or dev 
> or German but the realy important seems to be announcement. IMHO this 
> policy has to be challenged. Or do we really want to read about Typo3 
> based vulnerabilities in other places?

There have been crossposts here, and I expect there will be in the 
future because it's important enough to be worth the extra traffic.

> Finally if it was just a press hipe from a guy attracking all the 
> attention OR if he is right claiming that he informed "Typo3" a 
> fortnight ago has to be discussed. Perhaps in a different or new NG.

Well, I got the information from stucki whom I trust a lot more than a 
guy who obviously does not know or care about the bug being not in TYPO3 

> So let us volunteer the security team to get challenges efficiently 
> handled!

Yep, I think I'll ask to join them as soon as I get back from modem-only 


More information about the TYPO3-english mailing list