Go to: typo3.com Home TYPO3 Association Home typo3.org Home FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Support (Mailinglist Archive, Beta) Wiki Mailing lists

Search:

Component Type: Third party extensions. These extensions are not part of the TYPO3 default installation.

Affected Versions: pmk_rssnewsexport: All versions, cm_rdfexport: All versions

Vulnerability Type: SQL Injection

Severity: HIGH

Problem Description: Both extensions are open to SQL injection flaws because they fail to properly sanitize user-supplied input.

Solution: No fixed versions are available, so users are encouraged to remove these extensions from their TYPO3 installation. The functionality of both extensions is included in current versions of extension tt_news, therefore pmk_rssnewsexport and cm_rdfexportare are obsolete and were removed from TER. Users of the vulnerable extensions should use the RDF/RSS export functionality of tt_news instead.

General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.
Check the TYPO3 security bulletin page frequently for updates. The page is located at http://typo3.org/teams/security/security-bulletins/.

Credits: The TYPO3 Security Team wishes to thank Anders Skovsgaard from Hackavoid who discovered and reported the security issue.