Dear users of TYPO3,
It has been discovered that the extension ftpbrowser is doing
incorrect authentication in some files, making it open for exploiting.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation
==== Affected Versions ====
Version 0.1.2 and all versions below
==== Vulnerability Type ====
Incorrect authentication
==== Severity ====
HIGH
==== Problem Description ====
Lacking authentication in some situations, the extensions opens the
possibility for uploading malicious scripts which could compromise
the installation.
==== Solution ====
An updated version is available from the TYPO3 extension manager at
http://typo3.org/extensions/repository/view/ftpbrowser/0.1.3/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook [1].
==== Credits ====
Credits go to security team member Henning Pingel who discovered
these issues and to Jean-David Gadina, who is the author and fixed
the issues.
Regards,
Lars Houmark
lars@typo3.org
