Dear users of TYPO3, It has been discovered that the system extension indexed_search is vulnerable to a SQL Injection flaw.
==== Component Type ==== System extension, part of the TYPO3 default installation. ==== Affected Versions ==== TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.3. ==== Vulnerability Type ==== SQL Injection. ==== Severity ==== Low. ==== Problem Description ==== The system extension indexed_search is vulnerable to a SQL Injection. To exploit this flaw it is necessary to be a logged-on backend user. ==== Solution ==== If you use TYPO3 4.1.x, update to TYPO3 version 4.1.4 or later. If you use TYPO3 3.x or 4.0.x, update to TYPO3 version 4.0.8 or later. ==== General advice ==== Download the latest TYPO3 version here [1]. Further information regarding SQL Injections can be found at Wikipedia [2]. Follow the recommendations that are given in the TYPO3 Security Cookbook [3]. Check the TYPO3 security bulletin page frequently for updates. The page is located at [4]. ==== Credits ==== Credits go to Henning Pingel, who discovered the issue, and Andreas Otto, who supplied a patch for this issue. [1] http://typo3.org/download/packages/ [2] http://en.wikipedia.org/wiki/SQL_injection [3] http://typo3.org/fileadmin/security-team/typo3_security_cookbook_v-0.5.pdf [4] http://typo3.org/teams/security/security-bulletins/ Regards, Lars Houmark [EMAIL PROTECTED] _______________________________________________ TYPO3-english mailing list TYPO3-english@lists.netfielders.de http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english