Vulnerabilities in multiple Typo3 extensions
The Typo3 development team has published reports on three vulnerabilities which describe problems including cross-site scripting, SQL injections and command injections in a total of nine extensions. These could allow an attacker to manipulate a database to access confidential data or even to obtain administrative access to a system.
The extensions are not part of the default Typo3 installation. According to the reports, the extensions affected include:
- [AN] Search it! (an_searchit) 2.4.1 (and prior)
- Simple download-system with counter and categories (kk_downloader) 1.2.1 (and prior)
- Automatic Base Tags for RealUrl (lt_basetag) 1.0.0
- Trips (mchtrips) 2.0.0
- simple Glossar (simple_glossar) 1.0.3 and prior
- TW Productfinder (tw_productfinder) 0.0.2 and prior
- DB Integration (wfqbe) 1.3.1 and prior
- Direct Mail (direct_mail) 2.6.4 and prior
- Calendar Base (cal) 1.2.0 and prior
The developers class most of the problems as high risk. Updates are so far only available for DB Integration, Trips, kk_downloader, Direct Mail and Calendar Base, and can be installed via the Typo3 Extension Manager. Updates for other affected extensions are, for a variety of reasons, not yet available and users are advised to remove them – they have already been removed from the Typo3 extension repository.
- TYPO3 Collective Security Bulletin TYPO3-SA-2009-017: Several vulnerabilities in third party extensions
- TYPO3 Security Bulletin TYPO3-SA-2009-018: XSS vulnerability in extension "Direct Mail" (direct_mail)
- TYPO3 Security Bulletin TYPO3-SA-2009-019: Blind SQL Injection vulnerability in extension "Calendar Base" (cal)