It has been discovered that the extension "powermail" (powermail) is vulnerable to Cross-Site Scripting, SQL Injection and Arbitrary Code Execution.
August 8, 2012
August 9, 2012 (added update help for extension manager, added further download link)
Third party extension. This extension is not a part of the TYPO3 default installation.
Version 1.6.8 and below, 2.0.0
Cross-Site Scripting, SQL Injection, Arbitrary Code Execution
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:POC/RL:O/RC:C
Failing to properly sanitize user-supplied input the extension is open to Cross-Site Scripting, SQL Injection and Arbitrary Code Execution attacks. Extension branch 1.x is vulnerable to Arbitrary Code Execution, extension branch 2.x is vulnerable to Cross-Site Scripting and SQL Injection. Exploiting the Arbitrary Code Execution requires a TYPO3 backend editor, for Cross-Site Scripting and SQL Injection there's no authentication required.
An updated version 1.6.9 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/1.6.9/t3x/
. An updated version 2.0.1 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/2.0.1/t3x/
. Users of the extension are advised to update the extension as soon as possible. Powermail is also available via http://ter.cablan.net/ter/p/o/powermail_1.6.9.t3x
, which is a direct linkt to one TER mirror.
Credits go to TYPO3 Security Team member Helmut Hummel and extension author Alexander Kellner who discovered the issues. Thanks to Alexander Kellner and Nicole Cordes for providing patches.
For TYPO3 4.5 use version 1.6.9 of powermail, for TYPO3 4.6/4.7 use version 2.0.1.
Follow these steps if you want to update to version 1.6.9: In the extension manager go to "Import Extensions", search for "powermail" and the make a right-click on the extension entry, select "import versions for powermail". Then you will have the possibility to install version 1.6.9
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.