In association with heise online

13 December 2007, 16:46

SQL injection vulnerability in Typo3 CMS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A system extension of the Typo3 content-management system can be exploited in order to get authorized access to the database. This would allow an attacker to read or even manipulate data. According to the security advisory, the cause of the problem is an SQL injection bug in indexed_search, which is not described in detail. The extension is part of a standard installation.

Allegedly, the vulnerability can only be exploited if the attacker is logged in to the Typo3 back end - but he need not possess any admin rights. Typo3 3.x, 4.0 to 4.0.7 and 4.1 up to and including 4.1.3 are affected. In versions 4.1.4 and 4.0.8, the hole has been closed.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit