Security update for critical holes in Typo3
The Typo3 developers have indicated that there multiple vulnerabilities in the free content management system, in versions 4.0.0 to 4.0.9, 4.1.0 to 4.1.7 and 4.2.0 to 4.2.3. As well as cross site scripting errors and weak encryption, it is also possible for an attacker to send and execute their own commands to the system's shell. Faults in parameter processing in the "Indexed Search Engine" extension are the cause of these problems.
Versions 4.0.10, 4.1.8 and 4.2.4 contain fixes for these vulnerabilities. The developers have advised that the severity of the issues is "high". Users should download and install the updates as quickly as possible. However, the 4.1.8 and 4.0.10 releases do have an issue with PHP4; an accidentally introduced "public static function" (only supported on PHP5) in the source. A fix for this is promised, but users who cannot wait for a revised version of the code can remove the "public static" text from the function declaration of
getRandomBytes found in
- TYPO3-SA-2009-001: Multiple vulnerabilities in TYPO3 Core, Typo3 Security Bulletin