[Typo3] SQL Injection - READ THIS PLEASE.
Steffen Müller
steffen at mail.kommwiss.fu-berlin.de
Sat Mar 5 17:17:43 CET 2005
Hi.
On 03/05/2005 12:38 AM Michael Scharkow wrote:
> Peter Russ wrote:
>
>> My concern is how bugs are handled at the moment. Situation could have
>> been much more relaxed if there would have been an announcement:
>> "Uninstall that extension. We are investigating".
>
>
> I'm still undecided on whether this is the right thing todo. What if
> there isn't a vulnerability and people take down an extension used in
> production. There will be complaints in any case.
>
Yes, but we can give the admin a chance to decide, what to do (in good
hope, that he knows, what he does).
>
>> But now we've learnt that's not enough to subscribe to English NG or
>> dev or German but the realy important seems to be announcement. IMHO
This is what I have learned:
1a) Since extensions are available on (official!) typo3.org, not only
the author is responsible, but the community. Who else should take care
of orphaned extensions? What, if an author doesn't care about security
issues (or bugs at all) or does not have time/skill?
1b) We are the community, one might become a volunteer - it's open
source. In case of bugs or security leaks, anyone could investigate
affected code, post a patch on the list/bugtracker or test a patch and
give feedback.
2) There is no case management for security issues. This could be a
reason why things took more time than neccessary. I think we need to
have that.
3) Quality management for 3rd party extensions yet depends only on the
author. We need to change that.
Extensions could be certified (dbal compatible, working with
indexed_search, ...), examined for security leaks (XSS/ SQL injection
prevention, ...), and so on.
4) In a case of emergency, it must be possible at any time to assign
write-access on TER, if the author of the extension does not react.
--
cheers,
Steffen
More information about the TYPO3-english
mailing list