[TYPO3-core] RFC #15227: Bug: class.tslib_content.php returns unfiltered data
Helmut Hummel
helmut at typo3.org
Mon Jul 26 20:35:08 CEST 2010
Hi,
On 26.07.10 09:55, Jigal van Hemert wrote:
>
>> and secure Typoscript. Whether this is a critical exploit or not I
>> still think it deserves attention.
> If you think that this is a security problem, you should not discuss
> this on public lists, but report it to the security team:
> http://typo3.org/teams/security/contact-us/
He did :)
But I toled him to propose a RFC on this list, here's why:
I do not see this as security issue as such, because you have to be able
to manipulate TypoScript to exploit it => you have to be an admin.
Much worse things could be done with plain TypoScript if an admin isn't
aware of that fact.
But with the current TS implementation it's impossible to do something
on our side, but we have to rely on responsible admins/ integrators.
Regards Helmut
More information about the TYPO3-team-core
mailing list