Cатсн²² (in)sесuяitу / ChrisJohnRiley
Because we're damned if we do, and we're damned if we don't!
TYPO3-SA-2009-016 – felogin
TYPO3-SA-2009-016
Original Release Date: October 22, 2009
Vendor: TYPO3 (Core)
Product: TYPO3 CMS – Frontend Login Box (felogin)
Affected Versions
TYPO3 versions :
- 4.2.0 – 4.2.6
- Other versions not tested
Vulnerability Type: Cross-Site Scripting
Overall Severity: Medium
Problem Description
Failing to sanitize URL parameters the Frontend Login Box box is susceptible to XSS.
Impact
TYPO3 installations that use the felogin feature are exposed to possible Cross-Site Scripting style attacks against users of the CMS
Vendor Response
This problem only exists in TYPO3 versions 4.2.0 – 4.2.6 and was already fixed for version 4.2.7 while fixing a non security related issue.
Credit(s)
Credits go to Chirs John Riley who discovered and reported the issue and to Stefan Lang who discovered and reported the related issue.
References
- TYPO3 Advisory (TYPO3-SA-2009-016)
<http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/>
Cатсн²² (in)sесuяitу / ChrisJohnRiley 