=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN232
_____________________________________________________________________

DATE                      : 16/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Direct Mail for TYPO3 version prior to 2.6.10.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-002
______________________________________________________________________


TYPO3 Security Bulletin TYPO3-SA-2011-002: XSS and SQL Injection
vulnerabilities in extension "Direct Mail" (direct_mail)

Release Date: March 15, 2011

Component Type: Third party extension. This extension is not a part of the
TYPO3 default installation.

Affected Versions: Version 2.6.9 and all versions below

Vulnerability Type: Cross-Site Scripting (XSS), SQL Injection

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)

Problem Description: Failing to properly sanitize user-supplied input
the extension is open to Cross-Site Scripting (XSS) and SQL Injection
attacks. The vulnerabilities allow authenticated website editors to
execute JavaScript code or HTML or inject arbitrary SQL in the
Direct Mail Backend module used to administrate newsletter
configurations.

Solution: An updated version 2.6.10 is available from the TYPO3 extension
manager and at http://typo3.org/extensions/repository/view/direct_mail/2.6.10/.
Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to TYPO3 Security Team member Georg Ringer who discovered
and reported the issue.


General advice: Follow the recommendations that are given in the TYPO3 Security
Cookbook. Please subscribe to the typo3-announce mailing list to receive future
Security Bulletins via E-mail.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================