[TYPO3] TYPO3 Security Bulletin 20070710-1: SQL Injection in fechangepassword
Lars Houmark
lars at typo3.org
Tue Jul 10 20:15:27 CEST 2007
Dear users of TYPO3,
It has been discovered that the extension fechangepassword is open
for a SQL injection when updating the password.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation
==== Affected Versions ====
Version 2.1.2 and all versions below
==== Vulnerability Type ====
SQL Injection
==== Severity ====
HIGH
==== Problem Description ====
When changing the password, it is possible to post malicious data
injecting the SQL update query.
==== Solution ====
An updated version is available from the TYPO3 extension manager at
http://typo3.org/extensions/repository/view/fechangepassword/2.2.0/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook [1].
==== Credits ====
Credits go to Allan Jacobsen who is the author and fixed the issue.
[1] http://typo3.org/fileadmin/security-team/
typo3_security_cookbook_v-0.5.pdf
Regards,
Lars Houmark
lars at typo3.org
More information about the TYPO3-english
mailing list