[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070608-1: SQL injection in macina_banners / ric_rotation
Michael Shigorin
mike at osdn.org.ua
Tue Jun 12 16:17:28 CEST 2007
----- Forwarded message from Lars Houmark <lars/typo3.org> -----
Date: Mon, 11 Jun 2007 14:44:55 +0200
From: Lars Houmark <lars/typo3.org>
To: typo3-announce/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070608-1: SQL injection in macina_banners / ric_rotation
Dear users of TYPO3,
Several SQL Injections has been discovered in the extensions
macina_banners and its descendant ric_rotation.
==== Component Type ====
Third party extensions. These extensions is not part of the TYPO3
default
installation
==== Affected Versions ====
Affected is macina_banners (version 1.4.0 and below)
and its descendant ric_rotation (version 1.9.9 and below).
For clarification: ww_macinabanners is not affected.
==== Vulnerability Type ====
SQL Injection
==== Severity ====
HIGH (exploitations have been reported, so it is supposed to be "in
the wild")
==== Problem Description ====
These extensions are exposed to an SQL injection issue because it
fails to properly sanitize user-supplied input.
==== Solution ====
Updated versions are available from the TYPO3 extension manager and at
typo3.org/extensions/repository/view/macina_banners/1.4.1/
and
typo3.org/extensions/repository/view/ric_rotation/1.9.10/
Users of these extensions are strongly advised to update the
extension immediately.
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook.
==== Credits ====
Credits go to Jan Radecker who discovered this issue and to Wolfgang
Becker and Clemens Riccabona who immediately fixed their extensions.
You can view the entire bulletin page here at the below address:
http://typo3.org/teams/security/security-bulletins/typo3-20070608-1/
Regards,
Lars Houmark
TYPO3 Security Team
lars/typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike at altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
More information about the TYPO3-russia
mailing list