TYPO3-20071210-1: SQL Injection in system extension indexed_search

It has been discovered that the system extension indexed_search is vulnerable to a SQL Injection flaw.

Component Type: System extension, part of the TYPO3 default installation.

Affected Versions: TYPO3 versions 3.x, 4.0 to 4.0.7, 4.1 to 4.1.3.

Vulnerability Type: SQL Injection.

Severity: Low.

Problem Description:
The system extension indexed_search is vulnerable to a SQL Injection. To exploit this flaw it is necessary to be a logged-on backend user.

Solution:
If you use TYPO3 4.1.x, update to TYPO3 version 4.1.4 or later.
If you use TYPO3 3.x or 4.0.x, update to TYPO3 version 4.0.8 or later.

General advice:
Download the latest version of TYPO3 here.
Further information regarding SQL Injections can be found at Wikipedia.
Follow the recommendations that are given in the TYPO3 SECURITY Guide.
Check the TYPO3 security bulletin page frequently for updates. The page is located at typo3.org/teams/security/security-bulletins/.

Credits: Credits go to Henning Pingel, who discovered the issue, and Andreas Otto, who supplied a patch for this issue.