[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin20070801-1: Multiple vulnerabilities in extension ve_guestbook

[Дылгеров Цыден Владимирович]

Прошу прощения за предыдущее сообщение - все нормально c ve_guestbook 2.0.0

Вот что значит вносить изменения в тело скрипта. Ранее я внес изменения в старый скрипт ve_guestbook, которые делали его постмодерируемым. После экстренного обновления эти изменения были стерты естественно. Утром обнаружив в гостевой массу сообщений подумал что уже стал жертвой атаки и написал сюда.

Чтобы сделать книгу постмодерируемой достаточно поставить галочку в поле "Manual backend release of new entries"

-----Original Message-----
Уязвимость была не устранена.
Дылгеров Ц.В.

From: typo3-russia-bounces at lists.netfielders.de [mailto:typo3-russia-bounces at lists.netfielders.de] On Behalf Of Michael Shigorin
Sent: Thursday, August 02, 2007 3:17 PM
To: typo3-russia at lists.netfielders.de
Subject: [TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin20070801-1: Multiple vulnerabilities in extension ve_guestbook

	Здравствуйте.
Всем пользователям ve_guestbook срочно обновлять до 2.0.0,
есть SQL injection и им уже пользуются.

----- Forwarded message from Lars Houmark <lars/typo3.org> -----

Date: Wed, 1 Aug 2007 20:27:27 +0200
From: Lars Houmark <lars/typo3.org>
To: typo3-announce/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin 20070801-1: Multiple vulnerabilities in extension ve_guestbook

Dear users of TYPO3,

It has been discovered that the extension ve_guestbook is vulnerable  
to SQL Injection attacks. Also, a Cross Site Scripting issue has been  
detected.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3  
default installation.

==== Affected Versions ====
Version 1.9.3 and below

==== Vulnerability Type ====
SQL Injection, Cross Site Scripting

==== Severity ====
HIGH.
We have received indications that the flaw is already being
actively exploited.

==== Problem Description ====
Some versions of the extension are exposed to SQL injection because  
they fail to properly sanitize user-supplied input. Besides that,  
some versions are not preventing Cross Site Scripting attacks properly.

==== Solution ====
An updated version is available from the TYPO3 extension manager and at
http://typo3.org/extensions/repository/view/ve_guestbook/2.0.0/

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1].
Keep notice of the TYPO3 security bulletin page [2].

==== Annotation ====
The TYPO3 Security Team wishes to clarify that we have not yet
been able to get in touch with the author, nor to accomplish a formal
review of the extension. This advisory is being published nevertheless,
because we have received indications that the flaw is already being
actively exploited.

[1] http://typo3.org/fileadmin/security-team/ 
typo3_security_cookbook_v-0.5.pdf
[2] http://typo3.org/teams/security/security-bulletins/

Regards,

Lars Houmark
lars/typo3.org



_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike at altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/
_______________________________________________
TYPO3-russia mailing list
TYPO3-russia at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-russia