Probleme beim Einloggen

TYPO3 Enterprise Content Management System

official group: TYPO3 CMS is the most widely used Enterprise CMS, providing the basis for websites, intranets and web & mobile app.

Christopher Friedmann TYPO3 Security Bulletin 20071210-1: SQL Injectionin system extension indexed_search
It has been discovered that the system extension indexed_search is vulnerable to a SQL Injection flaw.
==== Component Type ====
System extension, part of the TYPO3 default installation.
==== Affected Versions ====
TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.3.
==== Vulnerability Type ====
SQL Injection.
==== Severity ====
Low.
==== Problem Description ====
The system extension indexed_search is vulnerable to a SQL Injection.
To exploit this flaw it is necessary to be a logged-on backend user.
==== Solution ====
If you use TYPO3 4.1.x, update to TYPO3 version 4.1.4 or later.
If you use TYPO3 3.x or 4.0.x, update to TYPO3 version 4.0.8 or later.
==== General advice ====
Download the latest TYPO3 version here [1].
Further information regarding SQL Injections can be found at Wikipedia [2].
Follow the recommendations that are given in the TYPO3 Security Cookbook [3].
Check the TYPO3 security bulletin page frequently for updates. The page is located at [4].
==== Credits ====
Credits go to Henning Pingel, who discovered the issue, and Andreas Otto, who supplied a patch for this issue.
Autor: Lars Houmark
.best regards
Christopher Friedmann
Dieser Beitrag kann nicht mehr kommentiert werden.
Christopher Friedmann The core team is proud to announce the second Alpha of TYPO3 version 4.2.
Community involvement
First of all this is the first release of TYPO3 since the core development mailinglist has been opened for public write access. The core team likes to thank all those who have been actively contributing to improve TYPO3 since then. We're stunned about the huge success of the open core development mailinglist and the many contributions!
Backend improvements
This version ships with the initial work of the "Cleaner backend"
project which consists of several major parts. In the first step the backend was freed from the frames which have been replaced by div containers and a single iframe. A special thanks goes to Dirk Jesse from the YAML CSS Framework project for helping out here! To make the former top frame free for new tasks the secondary options in TCEforms now unfold directly at their parent input fields. After that was accomplished it was now possible to move other elements to newly won space in the new toolbar at the top. For now only the workspace selector has moved, but other elements will follow.
Another major task was the restyling of TCEforms to always have the buttons to save a document in sight at the top of the editing area.
You test the new backend by accessing it through typo3/backend.php.
Installer 2
The installer version 2 has been added to this release to make it easy to test the new version. This new installer is a complete rewrite of the old one by Thomas Hempel, it's now devided into two parts, the installer itself and a setup moduel which is accessible from the backend. When doing a new install you'll be prompted whether you want to use the old or the new installer. At the current state you can use the new installer in 1-2-3 mode only and then refine your settings from within the backend.
T3Editor
Also completely new in this version is the so called t3editor by Tobias Liebig which makes it possible to highlight TypoScript when editing TypoScript templates in the Web->Template module.
Linking to records using the RTE
A feature which was partly available in 4.1 already but unusable because of a typo is now fully implemented. Extensions can now link to records like tt_news items directly using a RTE wizard. This will not work out of the boy though as it needs support from the extensions which need to handle the rendering in the frontend.
More improvements to the RTE
Stanislas Rolland is back from his long holiday trip and has since kept on working on rtehtmlarea. He added several features to the RTE like making it possible to extend the RTE with own plugins. Other then that there seems to be an uncountable amunt of bugfixes which are always very much welcomed.
Improvements for the RTE
RTEmagic images are now duplicated when records are copied/versioned in tcemain. This is a long awaited feature that solves the bug that RTE magic images shared between two records would result in both disappearing if the one was deleted. Therefore this is also an important fix for Workspaces.
New language
The Galician language was added so that localizations can be downloaded as they become available from the translators. TYPO3 can now be translated into 49 languages.
Third party libraries
TYPO3 4.2alpha2 comes with updated javascript libraries, we now ship with prototype 1.6.0 and script.aculo.us 1.8.0. Libraries to minfy javascript and prevent cross site scripting (XSS) attacks have been added, too.
Raised minimum PHP version requirement
To run TYPO3 4.2alpha2 you need to have at least PHP 5.2. This move was necessary to use features introduced since PHP 5.0.
As always
Other then the highlighted features we also packed tons of bug fixes, performance improvements, enthusiasm, and love into this release.
Next steps to 4.2
Please test this Alpha as much as possible, especially the new features from alpha1 and those described above! If you're e.g. using one of the new features in a project of yours already and discover bugs, please report them immediately to http://bugs.typo3.org/!
During the next weeks, we will release one more Alpha before locking down the development of new features. We will then continue with Beta releases which are only meant for bug fixes before turning to Release Candidates and the final version of TYPO3 4.2. This means that you can expect the final version to be ready around the end of January '08.
For a detailed overview of the features planned for 4.2 and their progress, have a look at the 4.2 Development wiki page, the bugtracker, and the ChangeLog.
You can download the packages at http://typo3.org/download/packages/.
Source: TYPO3-announce Mailing-List
Writer: Ingo Renner
.best regards
Christopher Friedmann
Dieser Beitrag kann nicht mehr kommentiert werden.
Christopher Friedmann SQL Injection in fechangepassword
TYPO3 Security Bulletin TYPO3-20070710-1: SQL Injection in fechangepassword
Component Type: Third party extension. This extension is not part of the TYPO3 default installation
Affected Versions: Version 2.1.2 and all versions below
Vulnerability Type: SQL Injection
Severity: HIGH
Problem Description: When changing the password, it is possible to post malicious data injecting the SQL update query.
Solution: An updated version is available from the TYPO3 extension manager at http://typo3.org/extensions/repository/view/fechangepassword/2.2.0/
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.
Credits: Credits go to Allan Jacobsen who is the author and fixed the issue.
.best regards
Christopher Friedmann
Dieser Beitrag kann nicht mehr kommentiert werden.
Christopher Friedmann Incorrect authentication in ftpbrowser
TYPO3 Security Bulletin TYPO3-20070709-1: Incorrect authentication in ftpbrowser
Component Type: Third party extension. This extension is not part of the TYPO3 default installation
Affected Versions: Version 0.1.2 and all versions below
Vulnerability Type: Incorrect authentication
Severity: HIGH
Problem Description: Lacking authentication in some situations, the extension opens the possibility for uploading malicious scripts which could compromise the installation.
Solution: An updated version is available from the TYPO3 extension manager at
http://typo3.org/extensions/repository/view/ftpbrowser/0.1.3/
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.
Credits: Credits go to security team member Henning Pingel who discovered these issues and to Jean-David Gadina who is the author and fixed the issues.
.best regards
Christopher Friedmann
Dieser Beitrag kann nicht mehr kommentiert werden.
Christopher Friedmann TYPO3 Security Bulletin TYPO3-20070703-1
TYPO3 Security Bulletin TYPO3-20070703-1: Multiple vulnerabilities in all variants of MySQLDumper
Component Type: Third party extension. This extension is not part of the TYPO3 default installation
Affected Versions:
a) TYPO3 extension mysqldumper: Version 0.0.5 and all versions below
b) Standalone releases of MySQLDumper: All currently available versions
from http://www.mysqldumper.de/board/downloads.php?cat=2
(1.23_pre_release_REV227, 1.22, 1.21b)
Due to special circumstances the TYPO3 security team has decided to address both users of the standalone tool and of the TYPO3 extension with this bulletin. The reasons for this exceptional approach are explained below (see "Background").
Vulnerability Type:
Various vulnerabilities such as
a) Full read and write access to the connected MySQL database
b) Creation and download of database backups possible
c) Full admin backend access to a TYPO3 web site possible
Severity: HIGH
Source: typo3.org
.best regards
Christopher Friedmann
Dieser Beitrag kann nicht mehr kommentiert werden.

Events dieser Gruppe

Alle Events

Moderatoren

Infos zu den Moderatoren

Über die Gruppe "TYPO3 Enterprise Content Management System"

  • Gegründet: 24.08.2004
  • Mitglieder: 10.121
  • Sichtbarkeit: offen
  • Beiträge: 4.830
  • Kommentare: 8.181