[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin 20070801-1: Multiple vulnerabilities in extension ve_guestbook
Michael Shigorin
mike at osdn.org.ua
Thu Aug 2 08:17:27 CEST 2007
Здравствуйте.
Всем пользователям ve_guestbook срочно обновлять до 2.0.0,
есть SQL injection и им уже пользуются.
----- Forwarded message from Lars Houmark <lars/typo3.org> -----
Date: Wed, 1 Aug 2007 20:27:27 +0200
From: Lars Houmark <lars/typo3.org>
To: typo3-announce/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin 20070801-1: Multiple vulnerabilities in extension ve_guestbook
Dear users of TYPO3,
It has been discovered that the extension ve_guestbook is vulnerable
to SQL Injection attacks. Also, a Cross Site Scripting issue has been
detected.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation.
==== Affected Versions ====
Version 1.9.3 and below
==== Vulnerability Type ====
SQL Injection, Cross Site Scripting
==== Severity ====
HIGH.
We have received indications that the flaw is already being
actively exploited.
==== Problem Description ====
Some versions of the extension are exposed to SQL injection because
they fail to properly sanitize user-supplied input. Besides that,
some versions are not preventing Cross Site Scripting attacks properly.
==== Solution ====
An updated version is available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/view/ve_guestbook/2.0.0/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook [1].
Keep notice of the TYPO3 security bulletin page [2].
==== Annotation ====
The TYPO3 Security Team wishes to clarify that we have not yet
been able to get in touch with the author, nor to accomplish a formal
review of the extension. This advisory is being published nevertheless,
because we have received indications that the flaw is already being
actively exploited.
[1] http://typo3.org/fileadmin/security-team/
typo3_security_cookbook_v-0.5.pdf
[2] http://typo3.org/teams/security/security-bulletins/
Regards,
Lars Houmark
lars/typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike at altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
More information about the TYPO3-russia
mailing list