Security update: TYPO3 content management framework

last updated April 13, 2008 in Debian Linux, Linux, Security Alert

Several remote vulnerabilities have been discovered in the TYPO3 content management framework.

Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user.

User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use.

=> Package : typo3
=> Vulnerability : several
=> Problem type : remote
=> Debian-specific: no
=> Debian Bug : 485814

Type the following command to update the internal database, install corrected packages:
# apt-get update # apt-get upgrade

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Tagged as: arbitrary code, content management framework, debian bug, internal database, typo3, vulnerabilities, vulnerability, webserver user

Posted by: Vivek Gite

Share this on (or read 0 comments/add one below):