[TYPO3-core] [TYPO3-dev] Re: RFC #12094: Bug: stdWrap function fullQuoteStr
JoH asenau
info at cybercraft.de
Fri Oct 2 15:11:16 CEST 2009
>> In this case there is no vulnerability in TYPO3 unless the admin
>> himself introduced it with TypoScript.
>> So nothing the security team should be aware of.
>
> Wrong. In any security-related case the security team must be
> consulted.
So did you already contact the security team to tell them that there might
be the possibility of MySQL injections in case somebody doesn't escape user
generated values in a SELECT query?
Come on, Dmitry, this is ridiculous. We are not talking about a security
hole in TYPO3 itself but about holes that admins might create when using
TypoScript. It's the same as if you tell people not to use unescaped GET
vars in PHP when creating SELECT queries. This is common knowledge and
nothing for the security team and definitely nothing to keep secret.
But lets move the discussion to the dev list.
Joey
--
Wenn man keine Ahnung hat: Einfach mal Fresse halten!
(If you have no clues: simply shut your gob sometimes!)
Dieter Nuhr, German comedian
Xing: http://contact.cybercraft.de
Twitter: http://twitter.com/bunnyfield
TYPO3 cookbook (2nd edition): http://www.typo3experts.com
TYPO3 workshops: http://workshops.eqony.com
More information about the TYPO3-team-core
mailing list