[Typo3-announce] Security Bulletin TYPO3-20051010-1 : fe_news, fe_rtenews

[Ekkehard Gümbel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Bulletin TYPO3-20051010-1
http://typo3.org/teams/security/security-bulletins/typo3-20051010-10/
 

Component Type: Third Party Extension. This extension is third party code
that has not been submitted to the TYPO3 extension review process yet. The
extension is not part of TYPO3 default installations.


Affected Component:
    (a) fe_news
    (b) fe_rtenews

Version:
    (a) fe_news: all versions
    (b) fe_rtenews: 0.4.3 and earlier
Vulnerability Type: Information Disclosure, Data Corruption
Severity: High


Problem Description:
A bug has been discovered in the "Front End News Submitter" (fe_news) 
where
SQL injection is not safely prevented and thus malicious SQL commands are
potentially possible.
Since the RTE enabled version (fe_rtenews) is derived from fe_news, it is
affected as well.

 
Solution:
    (a) fe_news: The author has been contacted multiple times but did not
respond yet. Thus, the extension has been taken offline from typo3.org and
TER.
All users of this extension are strongly advised to either migrate to
fe_rtenews (version 0.4.4 if you do not want RTE functionality) or to
disable the extension. Limiting fe_news access to registred users is not
considered safe.

    (b) fe_rtenews: An updated version (1.3.1) of fe_rtenews can be found
on typo3.org/extensions/repository/list/fe_rtenews or via Extension
Manager.
All users of this extension are advised to immediatly update.


Credits:
Thanks to Sacha Ligthert for notifying us; thanks to Toni Milovan for
immediatly providing a fixed version of fe_rtenews.




Regards,
Ekkehard Guembel
TYPO3 Security Team


- -> This information comes with ABSOLUTELY NO WARRANTY.
- -> Visit http://typo3.org/teams/security/security-bulletins

-----BEGIN PGP SIGNATURE-----

iQA/AwUBQ0pXobacx8F96kPgEQIDbwCg7GunLVr5IkbjtX1fYUWI8EwLQt4AoPoq
LmT0MKjUO3GkCCft8WlFuaEb
=YJKA
-----END PGP SIGNATURE-----