Security Advisories
All Advisories
TYPO3-20051114-1: TYPO3 Security Bulletin
The file editor functionality in the TYPO3 Install Tool (menu option "Edit files in typo3conf/") has an option that reads "Make backup copy". If set, this will create a backup copy and append a "~" to the original file name. This leads to file names that may be delivered as text files by a web server. Thus, sensitive information (e.g. the content of localconf.php) may be disclosed.
Read moreSECURITY-BULLETINS-CHC-FORUM-TH-MAILFORMPLUS: Security Bulletins: chc_forum, th_mailformplus
Two security bulletins regarding the 3rd party extensions "CHC Forum" and "th_mailformplus" have been issued today. Fixed versions are available.
TYPO3-20051107-2: th_mailformplus
A weakness in the form validation of th_mailformplus has been discovered that may be abused to inject additional recipients in mail forms.
TYPO3-20051107-1: chc_forum
A bug has been discovered in the "CHC Forum" (chc_forum) extension where some Javascript expressions are not properly caught when entered in forms. Thus, specially crafted entries may be used to inject malicious code.
SECURITY-BULLETIN-TYPO3-20051010-1-FE-NEWS: Security Bulletin TYPO3-20051010-1: fe_news
A bug has been discovered in the "Front End News Submitter" (fe_news) where SQL injection is not safely prevented. fe_rtenews is affected as well.
TYPO3-20051010-10: TYPO3 Security Bulletin
A bug has been discovered in the "Front End News Submitter" (fe_news) where SQL injection is not safely prevented and thus malicious SQL commands are potentially possible. Since the RTE enabled version (fe_rtenews) is derived from fe_news, it is affected as well.
TYPO3-20050822-1: TYPO3 Security Bulletin
A bug has been discovered in MOC filemanager (v. 0.7.1 and earlier): An offender may gain illegal read access to files on the server.
SECURITY-BULLETIN-TYPO3-20050822-1: Security Bulletin TYPO3-20050822-1
A bug has been discovered in MOC filemanager (v. 0.7.1 and earlier): An offender may gain illegal read access to files on the server.
SECURITY-BULLETIN-TYPO3-20050812-1: Security Bulletin TYPO3-20050812-1
Possible remote exploit with AWStats. The TYPO3 Security Team has issued a security bulletin which explains and fixes a possible problem with extensions shipping AWStats.
TYPO3-20050812-1: TYPO3 Security Bulletin
Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Successful exploitation results in the execution of arbitrary commands with permissions of the web service. This may compromise systems using extensions providing AWStats.