SECURITY-BULLETIN-TYPO3-20060501-1-CHC-FORUM: Security Bulletin TYPO3-20060501-1: chc_forum

Categories: Security Created by Michael Hirdes
A weakness in the display of forum messages of chc_forum has been discovered that may be used to execute arbitrary SQL

Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation

Affected Components: chc_forum

Versions: 1.4.4 and earlier

Vulnerability Type: SQL injection

Severity: High

Problem Description:
A weakness in the display of forum messages of chc_forum has been
discovered that may be used to execute arbitrary SQL

Solution:
An updated version (chc_forum version 1.4.5) can be found on http://typo3.org/extensions/repository/search/chc_forum/1.4.5/ or via the Extension Manager. All users of this extension are advised to immediately install the update.

Credits:Thanks to Nickolas Shardin who discovered the vulnerability, thanks toRupert Germann for notifying the security team, thanks to the extensionauthor Zach Davis for providing an updated version of the extensionimmediately.