In association with heise online

03 December 2009, 14:31

Vulnerabilities in multiple Typo3 extensions

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Typo3 development team has published reports on three vulnerabilities which describe problems including cross-site scripting, SQL injections and command injections in a total of nine extensions. These could allow an attacker to manipulate a database to access confidential data or even to obtain administrative access to a system.

The extensions are not part of the default Typo3 installation. According to the reports, the extensions affected include:

  • [AN] Search it! (an_searchit) 2.4.1 (and prior)
  • Simple download-system with counter and categories (kk_downloader) 1.2.1 (and prior)
  • Automatic Base Tags for RealUrl (lt_basetag) 1.0.0
  • Trips (mchtrips) 2.0.0
  • simple Glossar (simple_glossar) 1.0.3 and prior
  • TW Productfinder (tw_productfinder) 0.0.2 and prior
  • DB Integration (wfqbe) 1.3.1 and prior
  • Direct Mail (direct_mail) 2.6.4 and prior
  • Calendar Base (cal) 1.2.0 and prior

The developers class most of the problems as high risk. Updates are so far only available for DB Integration, Trips, kk_downloader, Direct Mail and Calendar Base, and can be installed via the Typo3 Extension Manager. Updates for other affected extensions are, for a variety of reasons, not yet available and users are advised to remove them – they have already been removed from the Typo3 extension repository.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit