[TYPO3-UG Russia] Fwd: [TYPO3-announce] Multiple vulnerabilities found in TYPO3 Core
Michael Shigorin
mike at osdn.org.ua
Wed Mar 28 14:46:55 CEST 2012
----- Forwarded message from TYPO3 Security Team <security at typo3.org> -----
Date: Wed, 28 Mar 2012 14:36:30 +0200
From: TYPO3 Security Team <security at typo3.org>
To: "TYPO3 Announcement List, readonly" <typo3-announce at lists.typo3.org>
Subject: [TYPO3-announce] Multiple vulnerabilities found in TYPO3 Core
Dear users of TYPO3!
It has been discovered that the TYPO3 Core is vulnerable to Cross-Site Scripting, Insecure Unserialize and Information Disclosure.
For more details on the issues please read the accordant advisory:
TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
[IMPORTANT]
With the newly released TYPO3 versions the description field of the filelink content element is HTML encoded by default.
If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.
tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0
Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element.
In general the TYPO3 Security Team recommends to read the following pages:
The TYPO3 Security Guide:
http://typo3.org/documentation/document-library/extension-manuals/doc_guide_security/current/
Make sure you are subscribed to the TYPO3 Announce List:
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
See all TYPO3 security advisories:
http://typo3.org/teams/security/security-bulletins/
Regards,
Helmut Hummel
Leader of the TYPO3 Security Team
--
TYPO3 Security Team homepage: http://typo3.org/teams/security/
E-Mail: security at typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike at altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
More information about the TYPO3-russia
mailing list