[TYPO3] TYPO3 Security Bulletin TYPO3-20070709-1: Incorrect authentication in ftpbrowser

Lars Houmark lars at typo3.org
Mon Jul 9 14:32:30 CEST 2007


Dear users of TYPO3,

It has been discovered that the extension ftpbrowser is doing  
incorrect authentication in some files, making it open for exploiting.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3  
default installation

==== Affected Versions ====
Version 0.1.2 and all versions below

==== Vulnerability Type ====
Incorrect authentication

==== Severity ====
  HIGH

==== Problem Description ====
Lacking authentication in some situations, the extensions opens the  
possibility for uploading malicious scripts which could compromise  
the installation.

==== Solution ====
An updated version is available from the TYPO3 extension manager at
http://typo3.org/extensions/repository/view/ftpbrowser/0.1.3/

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1].

==== Credits ====
Credits go to security team member Henning Pingel who discovered  
these issues and to Jean-David Gadina, who is the author and fixed  
the issues.

Regards,

Lars Houmark
lars at typo3.org






More information about the TYPO3-english mailing list