[TYPO3-UG Russia] Fwd: [TYPO3-announce] Multiple vulnerabilities found in TYPO3 Core

Michael Shigorin mike at osdn.org.ua
Wed Sep 14 12:31:36 CEST 2011 

4.5.6, 4.4.11, 4.3.14

----- Forwarded message from TYPO3 Security Team <security/typo3.org> -----

Date: Wed, 14 Sep 2011 12:13:15 +0200
From: TYPO3 Security Team <security/typo3.org>
To: typo3-announce/lists.typo3.org
Subject: [TYPO3-announce]  Multiple vulnerabilities found in TYPO3 Core

Dear users of TYPO3!

It has been discovered that the TYPO3 prepared statement database API, which has been introduced in TYPO3 version 4.5, allows SQL Injections.

Also it was brought to our attention that all TYPO3 versions starting from 4.2, improper error handling in the caching system could lead to cache flooding. 


For more details on both issues please read the accordant advisories:

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerabilitiy in TYPO3 Core
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-002/

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-003/




In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Cookbook:
<http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>

Make sure you are subscribed to the TYPO3 Announce List:
<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce>

See all TYPO3 security advisories:
<http://typo3.org/teams/security/security-bulletins/>


Kind Regards,

Helmut Hummel
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: http://typo3.org/teams/security/

E-Mail: security/typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce/lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike at altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

More information about the TYPO3-russia mailing list