It has been discovered that the TYPO3 prepared statement database API allows SQL Injections.
Component Type: TYPO3 Core
Affected Versions: 4.5.0 - 4.5.5
Release Date: September 14, 2011
Vulnerable subcomponent: Database API
Vulnerability Type: SQL Injection
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C (What's that?)
Problem Description: Failing to properly replace parameter values, the usage of prepared statements could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.
We carefully analysed the usage of prepared queries in the TYPO3 Core and found that it is not exploitable. We are also not aware of any extension in the TER that uses this feature in a exploitable way. Nevertheless all users of TYPO3 4.5.x are adviced to update their installations as soon as possible.
Solution: Update to the TYPO3 version 4.5.6 that fixes the problem described.
Credits: Credits go to Franz G. Jahn who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to thetypo3-announce mailing list to receive future Security Bulletins via E-mail.