TYPO3-20051010-10: TYPO3 Security Bulletin

A bug has been discovered in the "Front End News Submitter" (fe_news) where SQL injection is not safely prevented and thus malicious SQL commands are potentially possible. Since the RTE enabled version (fe_rtenews) is derived from fe_news, it is affected as well.

Component Type: Third Party Extension. This extension is third party code that has not been submitted to the TYPO3 extension review process yet. The extension is not part of TYPO3 default installations.

Affected Components:

(a) fe_news

(b) fe_rtenews

Versions:

(a) fe_news: all versions

(b) fe_rtenews: 0.4.3 and earlier

Vulnerability Type: Information Disclosure, Data Corruption

Severity: High

Problem Description:
A bug has been discovered in the "Front End News Submitter" (fe_news) where SQL injection is not safely prevented and thus malicious SQL commands are potentially possible.

Since the RTE enabled version (fe_rtenews) is derived from fe_news, it is affected as well.

Solution:

(a) fe_news: The author has been contacted multiple times but did not respond yet. Thus, the extension has been taken offline from typo3.org and TER. All users of this extension are strongly advised to either migrate to fe_rtenews (version 0.4.4 if you do not want RTE functionality) or to disable the extension. Limiting fe_news access to registred users is not considered safe.

(b) fe_rtenews: Updated version (currently 0.4.4 - 1.3.1) of fe_rtenews can be found on typo3.org/extensions/repository/list/fe_rtenews or via Extension Manager. All users of this extension are advised to immediatly update.

Credits:
Thanks to Sacha Ligthert for notifying us; thanks to Toni Milovan for immediatly providing a fixed version of fe_rtenews.