===================================================================== CERT-Renater Note d'Information No. 2007/VULN513 _____________________________________________________________________ DATE : 14/12/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running TYPO3. ====================================================================== http://typo3.org/teams/security/security-bulletins/typo3-20071210-1/ ______________________________________________________________________ TYPO3 Security Bulletin 20071210-1: SQL Injection in system extension indexed_search Component Type: System extension, part of the TYPO3 default installation. Affected Versions: TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.3. Vulnerability Type: SQL Injection. Severity: Low. Problem Description: The system extension indexed_search is vulnerable to a SQL Injection. To exploit this flaw it is necessary to be a logged-on backend user. Solution: If you use TYPO3 4.1.x, update to TYPO3 version 4.1.4 or later. If you use TYPO3 3.x or 4.0.x, update to TYPO3 version 4.0.8 or later. General advice: Download the latest version of TYPO3 here. Further information regarding SQL Injections can be found at Wikipedia. Follow the recommendations that are given in the TYPO3 Security Cookbook. Check the TYPO3 security bulletin page frequently for updates. The page is located at http://typo3.org/teams/security/security-bulletins/. Credits: Credits go to Henning Pingel, who discovered the issue, and Andreas Otto, who supplied a patch for this issue. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================