Skip to main navigation Skip to main content Skip to page footer
main logo main logo

Multiple vulnerabilities found in TYPO3 Core

14 September 2011 ยท TYPO3 Security Team 
Dear users of TYPO3!

It has been discovered that the TYPO3 prepared statement database API, which has been introduced in TYPO3 version 4.5, allows SQL Injections.

Also it was brought to our attention that all TYPO3 versions starting from 4.2, improper error handling in the caching system could lead to cache flooding. 


For more details on both issues please read the accordant advisories:

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-002: Potential SQL injection vulnerabilitiy in TYPO3 Core
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-002/

TYPO3 Security Bulletin TYPO3-CORE-SA-2011-003: Improper error handling could lead to cache flooding in TYPO3 Core:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-003/




In general the TYPO3 Security Team recommends to read the following pages:

The TYPO3 Security Cookbook:
<http: typo3.org fileadmin security-team typo3_security_cookbook_v-0.5.pdf>

Make sure you are subscribed to the TYPO3 Announce List:
<http: lists.typo3.org cgi-bin mailman listinfo typo3-announce>

See all TYPO3 security advisories:
<http: typo3.org teams security security-bulletins></http:>


Kind Regards,

Helmut Hummel
Member of the TYPO3 Security Team

--
TYPO3 Security Team homepage: <a href="http://typo3.org/teams/security/" target="_blank" rel="noreferrer">http://typo3.org/teams/security/</a>

E-Mail: security@typo3.org
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
<a href="http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce" target="_blank" rel="noreferrer">http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce</a>
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
<a href="http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce" target="_blank" rel="noreferrer">http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce</a>
_______________________________________________
TYPO3-announce mailing list
TYPO3-announce at lists.typo3.org
<a href="http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce" target="_blank" rel="noreferrer">http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce</a></http:></http:>
Back to list