In association with heise online

21 January 2009, 11:17

Security update for critical holes in Typo3

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Typo3 developers have indicated that there multiple vulnerabilities in the free content management system, in versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7 and 4.2.0 to 4.2.3. As well as cross site scripting errors and weak encryption, it is also possible for an attacker to send and execute their own commands to the system's shell. Faults in parameter processing in the "Indexed Search Engine" extension are the cause of these problems.

Versions 4.0.10, 4.1.8 and 4.2.4 contain fixes for these vulnerabilities. The developers have advised that the severity of the issues is "high". Users should download and install the updates as quickly as possible. However, the 4.1.8 and 4.0.10 releases do have an issue with PHP4; an accidentally introduced "public static function" (only supported on PHP5) in the source. A fix for this is promised, but users who cannot wait for a revised version of the code can remove the "public static" text from the function declaration of getRandomBytes found in t3lib/class.t3lib_div.php.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit