[TYPO3-ttnews] Re: TYPO3-EXT-SA-2014-003: Insecure Unserialize
Fabian Thommen
ft at taywa.ch
Thu Feb 13 11:16:01 CET 2014
das wurde von 3.5.1 auf 3.5.2 geändert:
diff -r tt_news/lib/class.tx_ttnews_catmenu.php tt_news_bak-2014-02-13/lib/class.tx_ttnews_catmenu.php
337c337
< $this->stored = json_decode($_COOKIE[$this->treeName], true);
---
> $this->stored = unserialize($_COOKIE[$this->treeName]);
374c374
< setcookie($this->treeName, json_encode($this->stored));
---
> setcookie($this->treeName, serialize($this->stored));
man braucht also keinen Login. Das COOKIE kann jeder manipulieren..
More information about the TYPO3-project-tt-news
mailing list