[TYPO3] TYPO3 Security Bulletin 20070710-1: SQL Injection in fechangepassword

Lars Houmark lars at typo3.org
Tue Jul 10 20:15:27 CEST 2007

Dear users of TYPO3,

It has been discovered that the extension fechangepassword is open  
for a SQL injection when updating the password.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3  
default installation

==== Affected Versions ====
Version 2.1.2 and all versions below

==== Vulnerability Type ====
SQL Injection

==== Severity ====

==== Problem Description ====
When changing the password, it is possible to post malicious data  
injecting the SQL update query.

==== Solution ====
  An updated version is available from the TYPO3 extension manager at  

==== General advice ====
  Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1].

==== Credits ====
Credits go to Allan Jacobsen who is the author and fixed the issue.

[1] http://typo3.org/fileadmin/security-team/ 


Lars Houmark
lars at typo3.org

More information about the TYPO3-english mailing list