[TYPO3-announce] [Ticket#2011121510000044] Important Security-Bulletin Pre-Announcement
TYPO3 Security Team
security at typo3.org
Thu Dec 15 13:06:10 CET 2011
Dear users of TYPO3,
The TYPO3 security team has identified a critical security issue in the TYPO3 v4 Core.
The following branches are affected by the vulnerability:
* TYPO3 4.5
* TYPO3 4.6
TYPO3 releases containing a security fix will be published tomorrow, Friday 16th
of December at about 10:00 am CET.
Exploiting this vulnerability is only possible for specific server environments.
Amongst others, PHP flag "register_globals" is required
to be activated.
Please consider deactivating "register_globals"; this setting is deprecated
nowadays (PHP 5.3+) and is generally not needed for TYPO3.
Installations running an older TYPO3 version (4.4 and lower) or do not have this
PHP setting activated, are *not* affected.
Since this is a very important security fix, please be prepared to update your
TYPO3 installations on Friday.
Until the advisory is out, please understand that we cannot provide any further
information.
CVSS v2.0 data on the to be released bulletin:
Base AV:N/AC:M/Au:N/C:C/I:C/A:C | Temporal E:F/RL:OF/RC:C
Regards,
Marcus Krause
Member of the TYPO3 Security Team
--
TYPO3 Security Team homepage: http://typo3.org/teams/security/
E-Mail: security at typo3.org
Please note: When replying to this e-mail, please leave the header intact.
More information about the TYPO3-announce
mailing list