Component Type: Third Party Extension. The extension is not part of the
TYPO3 default installation
Affected Components: dam_downloads
Versions: 1.0.1 and earlier
Vulnerability Type: Path traversal and SQL injection
Severity: High
Problem Description:
A serious problem has been discovered in the file zipit.php that is used
as part of the dam_downloads extension which allows a user to download
arbitrary files from the server.
Also a weakness has been discovered that may be used to execute arbitrary SQL
Solution:
An updated version 1.1.0 is available in the extension repository and at typo3.org/extensions/repository/search/dam_downloads/1.1.0/
Users of the extension dam_downloads are advised to update the extension immideately.
Credits:
Thanks to Marc Bastian Heinrichs who discovered the vulnerability and notified
the security team. Special thanks to Rupert Germann, who is not the extension author, but volunteered to update the extension and did so within a few hours.
- Overview
- Features +
- Development Roadmap +
- Strategy
- Core Development
- Release News +
- Documentation
- Comparison Cards
- System Requirements
- Download & Install
- Getting Started
- Fluid Template Engine
- TYPO3 Community
- Events
- Meet the Community +
- Contribute / Get Involved +
- Teams & Committees +
- Values and Proceedings +
- Team Leader Meetings
- Data Protection Corner +
- Services +
- Communicate: Where and how
- User Groups
- StackOverflow
- Forum
- Chat (Slack)
- how to use Slack
- Regular Open Sprints
- You, me, and TYPO3!
- TYPO3 remote days
- Become an Association Member
- Get your My TYPO3 account
- Donate
- Mentorship
- Community Writers Program
- TYPO3 Development
- Academic
- Accessibility
- Best Practices
- Communication Coordination
- Community Expansion
- Content
- Content Types
- Documentation
- Education & Certification
- Localization
- Marketing
- Ombudsperson
- Security
- Server
- TYPO3 CMS Product Strategy Group
- typo3.org website
- User Experience (UX)