In association with heise online

06 April 2009, 16:11

Numerous vulnerabilities in TYPO3 extensions

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The TYPO3 developers have issued advisories for multiple vulnerabilities in third party extensions. Cross site scripting vulnerabilities can be found in Visitor Tracking (ws_stats), Userdata Create/Edit (sg_userdata) and Store Locator (locator) extensions. An SQL Injection vulnerability was found in the A21glossary Advanced Output (a21glossary_advanced_output), store locator (locator), Versatile Calendar Extension [VCE] (sk_calendar) and ultra-Cards (th_ultracards) extensions.

The Directory Listing (dir_listing) extension has a directory traversal vulnerability and the ClickStream Analyzer [output] (alternet_csa_out) extension may reveal private information. Apart from ClickStream Analyzer and Directory Listing (both have been deleted from the TYPO3 repository), updates that fix the problems are available for all of the extensions.

Another report describes a vulnerability in the Frontend User Registration (sr_feuser_register) extension that allows information, such as passwords, to be disclosed to users without proper access rights. The 2.5.21 update resolves the issue.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit