[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070608-1: SQL injection in macina_banners / ric_rotation

Michael Shigorin mike at osdn.org.ua
Tue Jun 12 16:17:28 CEST 2007 

----- Forwarded message from Lars Houmark <lars/typo3.org> -----

Date: Mon, 11 Jun 2007 14:44:55 +0200
From: Lars Houmark <lars/typo3.org>
To: typo3-announce/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070608-1: SQL injection in macina_banners / ric_rotation

Dear users of TYPO3,

Several SQL Injections has been discovered in the extensions  
macina_banners and its descendant ric_rotation.

==== Component Type ====
Third party extensions. These extensions is not part of the TYPO3  
default
installation

==== Affected Versions ====
Affected is macina_banners (version 1.4.0 and below)
and its descendant ric_rotation (version 1.9.9 and below).
For clarification: ww_macinabanners is not affected.

==== Vulnerability Type ====
SQL Injection

==== Severity ====
HIGH (exploitations have been reported, so it is supposed to be "in  
the wild")

==== Problem Description ====
These extensions are exposed to an SQL injection issue because it  
fails to properly sanitize user-supplied input.

==== Solution ====
Updated versions are available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/macina_banners/1.4.1/
and
typo3.org/extensions/repository/view/ric_rotation/1.9.10/
Users of these extensions are strongly advised to update the  
extension immediately.

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security  
Cookbook.

==== Credits ====
Credits go to Jan Radecker who discovered this issue and to Wolfgang  
Becker and Clemens Riccabona who immediately fixed their extensions.

You can view the entire bulletin page here at the below address:
http://typo3.org/teams/security/security-bulletins/typo3-20070608-1/


Regards,

Lars Houmark
TYPO3 Security Team
lars/typo3.org

_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike at altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

More information about the TYPO3-russia mailing list