[Typo3] SQL Injection - READ THIS PLEASE.

[Michael Stucki]

Hello Steffen,

>> I'm still undecided on whether this is the right thing todo. What if
>> there isn't a vulnerability and people take down an extension used in
>> production. There will be complaints in any case.
> 
> Yes, but we can give the admin a chance to decide, what to do (in good
> hope, that he knows, what he does).

Just keep in mind that this case (leak was made public before we were
informed) did not happen ever before and hopefully will never again.

If you have read the comments on Bugtraq you could see that many people
(including me) have scathed the person who sent this there.
This is not a usual case, he was irresponsible. Hope it never happens again.

In the usual case when one discovers a bug and we can fix it within a
reasonable timeframe we will not publish anything about this case unless a
the patch is available. Exeptions reserved, depends on the severity.

This policy is used by many other projects and I'm certain that it's better
to write only once not twice about a leak.

Kind regards (and big kudos for your big efforts yesterday!)
- michael
-- 
Want support? Please read the list rules first: http://typo3.org/1438.0.html
==
Time to subscribe to typo3-announce:
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce