[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20080416-2: SQL Injection in extensions pmk_rssnewsexport and cm_rdfexport

Michael Shigorin mike at osdn.org.ua
Wed Apr 16 09:32:55 CEST 2008 

----- Forwarded message from Henning Pingel <henning/typo3.org> -----

Date: Wed, 16 Apr 2008 07:13:30 +0200
From: Henning Pingel <henning/typo3.org>
To: typo3-announce/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20080416-2: SQL Injection in extensions pmk_rssnewsexport and cm_rdfexport

Dear users of TYPO3,

It has been discovered that the extensions pmk_rssnewsexport and
cm_rdfexport are vulnerable to SQL Injection attacks.

==== Component Type ====
Third party extensions. These extensions are not part of the TYPO3
default installation.

==== Affected Versions ====
pmk_rssnewsexport: All versions
cm_rdfexport: All versions

==== Vulnerability Type ====
SQL Injection

==== Severity ====
HIGH

==== Problem Description ====
Both extensions are open to SQL injection flaws because they fail to
properly sanitize user-supplied input.

==== Solution ====
No fixed versions are available, so users are encouraged to remove these
extensions from their TYPO3 installation. The functionality of both
extensions is included in current versions of extension tt_news,
therefore pmk_rssnewsexport and cm_rdfexportare are obsolete and were
removed from TER. Users of the vulnerable extensions should use the
RDF/RSS export functionality of tt_news instead.

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security Cookbook
[1]. Check the TYPO3 security bulletin page frequently for updates [2].
This bulletin TYPO3-20080416-2 is available at [3].

==== Credits ====
The TYPO3 Security Team wishes to thank Anders Skovsgaard from
Hackavoid.com who discovered and reported the security issue.

Regards,
Henning Pingel
henning/typo3.org

[1]
<http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>
[2] <http://typo3.org/teams/security/security-bulletins/>
[3] <http://typo3.org/teams/security/security-bulletins/typo3-20080416-2/>



_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-announce

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike at altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

More information about the TYPO3-russia mailing list