[Typo3] SQL Injection - READ THIS PLEASE.

Michael Stucki michael at typo3.org
Sat Mar 5 17:37:58 CET 2005

Hello Steffen,

>> I'm still undecided on whether this is the right thing todo. What if
>> there isn't a vulnerability and people take down an extension used in
>> production. There will be complaints in any case.
> Yes, but we can give the admin a chance to decide, what to do (in good
> hope, that he knows, what he does).

Just keep in mind that this case (leak was made public before we were
informed) did not happen ever before and hopefully will never again.

If you have read the comments on Bugtraq you could see that many people
(including me) have scathed the person who sent this there.
This is not a usual case, he was irresponsible. Hope it never happens again.

In the usual case when one discovers a bug and we can fix it within a
reasonable timeframe we will not publish anything about this case unless a
the patch is available. Exeptions reserved, depends on the severity.

This policy is used by many other projects and I'm certain that it's better
to write only once not twice about a leak.

Kind regards (and big kudos for your big efforts yesterday!)
- michael
Want support? Please read the list rules first: http://typo3.org/1438.0.html
Time to subscribe to typo3-announce:

More information about the TYPO3-english mailing list