In association with heise online

27 May 2008, 13:42

TYPO3 modules allow SQL injection and cross-site scripting

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the kj_imagelightbox2 and sg_zfelib add-on modules for the TYPO3 open source content management system have patched security holes that allow attackers to inject SQL commands or conduct cross-site scripting attacks. The modules are all provided by third parties and are not part of the standard TYPO3 installation.

The Library for Frontend plugins (sg_zfelib) does not filter user input, allowing SQL commands that provide attackers with read access to the database to be injected. The sg_zfelib provides functions for other libraries, which may also be affected by the flaw. The TYPO3 developers list the following add-on components as examples:

  • sg_newsplus
  • sg_address
  • sg_avmedia
  • sg_event
  • sg_genealogy
  • sg_glossary
  • sg_newsletter
  • sg_prodprom
  • sg_smallads
  • sg_userdata
  • sg_filelist
  • sg_dictionary

The KJ:Image Lightbox v2 extension (kj_imagelightbox2) does not filter user input, and therefore allows cross-site scripting attacks. The developers have released updated versions of both modules. Users of the plug-ins are advised to download and install these updates as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit