[TYPO3-announce] Multiple vulnerabilities found in TYPO3 Core

[TYPO3 Security Team]

Dear users of TYPO3!

It has been discovered that the TYPO3 prepared statement database API, which has been introduced in TYPO3 version 4.5, allows SQL Injections.

Also it was brought to our attention that all TYPO3 versions starting from 4.2, improper error handling in the caching system could lead to cache flooding. 


For more details on both issues please read the accordant advisories:

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerabilitiy in TYPO3 Core
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-002/

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-003/




In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Cookbook:
<http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf>

Make sure you are subscribed to the TYPO3 Announce List:
<http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce>

See all TYPO3 security advisories:
<http://typo3.org/teams/security/security-bulletins/>


Kind Regards,

Helmut Hummel
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: http://typo3.org/teams/security/

E-Mail: security at typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce