[TYPO3-announce] TYPO3 Security Bulletin 20070710-1: SQL Injection in fechangepassword

Lars Houmark lars at typo3.org
Tue Jul 10 20:15:27 CEST 2007


Dear users of TYPO3,

It has been discovered that the extension fechangepassword is open  
for a SQL injection when updating the password.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3  
default installation

==== Affected Versions ====
Version 2.1.2 and all versions below

==== Vulnerability Type ====
SQL Injection

==== Severity ====
HIGH

==== Problem Description ====
When changing the password, it is possible to post malicious data  
injecting the SQL update query.

==== Solution ====
  An updated version is available from the TYPO3 extension manager at  
http://typo3.org/extensions/repository/view/fechangepassword/2.2.0/

==== General advice ====
  Follow the recommendations that are given in the TYPO3 Security  
Cookbook [1].

==== Credits ====
Credits go to Allan Jacobsen who is the author and fixed the issue.

[1] http://typo3.org/fileadmin/security-team/ 
typo3_security_cookbook_v-0.5.pdf

Regards,

Lars Houmark
lars at typo3.org






More information about the TYPO3-announce mailing list