[Typo3-announce] Security Bulletin TYPO3-20051107-1: chc_forum

Ekkehard Gümbel ekki at typo3.org
Mon Nov 7 16:50:38 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Bulletin TYPO3-20051107-1: chc_forum
http://typo3.org/teams/security/security-bulletins/typo3-20051107-1/

Component Type: Third Party Extension. This extension is third party code
that has not been submitted to the TYPO3 extension review process yet. The
extension is not part of TYPO3 default installations.

Affected Components: chc_forum

Versions: 1.4.1 and earlier
Vulnerability Type: Cross Site Scripting
Severity: Medium

Problem Description:
A bug has been discovered in the "CHC Forum" (chc_forum) extension where
some Javascript expressions are not properly caught when entered in forms.
Thus, specially crafted entries may be used to inject malicious code.

Solution:
An updated version (1.4.2) of chc_forum can be found on
typo3.org/extensions/repository/list/chc_forum or via Extension Manager.
All users of this extension are advised to update immediatly.

Credits:
Thanks to Zach Davis (author of chc_forum) for notifying us and for
providing a fixed version.


Regards,
Ekkehard Guembel
TYPO3 Security Team


- -> This information comes with ABSOLUTELY NO WARRANTY.
- -> Visit http://typo3.org/teams/security/security-bulletins

-----BEGIN PGP SIGNATURE-----

iQA/AwUBQ29Tx7acx8F96kPgEQKTcACgzAtYM1U2AlqyP+CHvVjANcrzPE8AoKbV
XSZO3rSxuoMMjjB+PbaeE5lF
=B+cs
-----END PGP SIGNATURE-----



More information about the TYPO3-announce mailing list