Numerous vulnerabilities in TYPO3 extensions
The TYPO3 developers have issued advisories for multiple vulnerabilities in third party extensions. Cross site scripting vulnerabilities can be found in Visitor Tracking (ws_stats), Userdata Create/Edit (sg_userdata) and Store Locator (locator) extensions. An SQL Injection vulnerability was found in the A21glossary Advanced Output (a21glossary_advanced_output), store locator (locator), Versatile Calendar Extension [VCE] (sk_calendar) and ultra-Cards (th_ultracards) extensions.
The Directory Listing (dir_listing) extension has a directory traversal vulnerability and the ClickStream Analyzer [output] (alternet_csa_out) extension may reveal private information. Apart from ClickStream Analyzer and Directory Listing (both have been deleted from the TYPO3 repository), updates that fix the problems are available for all of the extensions.
Another report describes a vulnerability in the Frontend User Registration (sr_feuser_register) extension that allows information, such as passwords, to be disclosed to users without proper access rights. The 2.5.21 update resolves the issue.
- TYPO3 Collective Security Bulletin TYPO3-SA-2009-005: Several vulnerabilities in third party extensions, TYPO3 security bulletin.
- TYPO3 Security Bulletin TYPO3-SA-2009-004: Information Disclosure in extension "Frontend User Registration" (sr_feuser_register), TYPO3 security bulletin.