[TYPO3-announce] Multiple vulnerabilities found in TYPO3 Core
TYPO3 Security Team
security at typo3.org
Wed Mar 28 14:36:30 CEST 2012
Dear users of TYPO3!
It has been discovered that the TYPO3 Core is vulnerable to Cross-Site Scripting, Insecure Unserialize and Information Disclosure.
For more details on the issues please read the accordant advisory:
TYPO3 Security Bulletin TYPO3-CORE-SA-2012-001: Several Vulnerabilities in TYPO3 Core
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
[IMPORTANT]
With the newly released TYPO3 versions the description field of the filelink content element is HTML encoded by default.
If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.
tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0
Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content element.
In general the TYPO3 Security Team recommends to read the following pages:
The TYPO3 Security Guide:
http://typo3.org/documentation/document-library/extension-manuals/doc_guide_security/current/
Make sure you are subscribed to the TYPO3 Announce List:
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
See all TYPO3 security advisories:
http://typo3.org/teams/security/security-bulletins/
Regards,
Helmut Hummel
Leader of the TYPO3 Security Team
--
TYPO3 Security Team homepage: http://typo3.org/teams/security/
E-Mail: security at typo3.org
More information about the TYPO3-announce
mailing list