TYPO3 modules allow SQL injection and cross-site scripting
The developers of the kj_imagelightbox2 and sg_zfelib add-on modules for the TYPO3 open source content management system have patched security holes that allow attackers to inject SQL commands or conduct cross-site scripting attacks. The modules are all provided by third parties and are not part of the standard TYPO3 installation.
The Library for Frontend plugins (sg_zfelib) does not filter user input, allowing SQL commands that provide attackers with read access to the database to be injected. The sg_zfelib provides functions for other libraries, which may also be affected by the flaw. The TYPO3 developers list the following add-on components as examples:
sg_newsplussg_addresssg_avmediasg_eventsg_genealogysg_glossarysg_newslettersg_prodpromsg_smalladssg_userdatasg_filelistsg_dictionary
The KJ:Image Lightbox v2 extension (kj_imagelightbox2) does not filter user input, and therefore allows cross-site scripting attacks. The developers have released updated versions of both modules. Users of the plug-ins are advised to download and install these updates as soon as possible.
See also:
- Cross Site Scripting vulnerability in extension "KJ: Image Lightbox v2" (kj_imagelightbox2), security advisory from the developers of TYPO3
- SQL Injection in extension "Library for Frontend plugins" (sg_zfelib), security advisory from the developers of TYPO3
- Download the latest version of
kj_imagelightbox2 - Download the latest version of
sg_zfelib
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
