Typo3 hack on German Interior Minister's web site
Anyone who hasn't yet fixed the hole in the Typo3 content management system that was reported yesterday should install the current update without delay. Vulnerable pages can easily be found using Google, and then they can be trashed.
Wolfgang Schäuble, Germany's Interior Minister, found this out last night when his web site acquired a link to the German Working Group on Data Retention, which is protesting against that controversial government scheme. The perpetrators kindly left a clue to how they got into the system by mentioning the Typo3 update: apparently they were able to access the configuration file "localconf.php" using a special URL. A more worrying point is that they could use Google to find the administrator's password hash held there, and crack it very easily.
Mr Schäuble's personal web site still hadn't been restored to its original condition on Wednesday morning. Now his web site seems to be under construction, announcing only that "the requested page is temporarily unavailable". The password, by the way, was "gewinner".
This is the third occasion the Ministers page has suffered security problems.