In association with heise online

05 July 2012, 12:01

TYPO3 updates close File Uploader vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

TYPO3 logo The TYPO3 development team has released updates for all currently supported versions of its open source content management system (CMS), fixing a number of bugs and closing a security hole in one of the TYPO3 Core components. According to the developers, the JavaScript and Flash Upload Library (swfupload) used in previous versions of TYPO3 did not properly sanitise the "movieName" parameter before calling "ExternalInterface.call()".

This vulnerability could have been exploited by an attacker to execute arbitrary code in a browser session and conduct cross-site scripting (XSS) attacks. Versions 4.5.0 to 4.5.16, 4.6.0 to 4.6.9, 4.7.0 and 4.7.1, as well as the 6.0 branch development releases are affected; upgrading to TYPO3 4.5.17, 4.6.10 or 4.7.2 resolves the problem.

Further information about the updates, including a full list of bug fixes, can be found in the 4.5.17, 4.6.10 and 4.7.2 release notes, and in the security advisory. The updates are available to download from the project's site. All users are advised to update their installations as soon as possible. TYPO3 is licensed under the GPLv2 or later.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1632768
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit