Linux Today: Linux News On Internet Time.

More on LinuxToday

Typo3 allows remote command execution via PHP

Apr 13, 2010, 12:02 (0 Talkback[s])

[ Thanks to AV for this link. ]

"The developers of the Typo3 CMS framework have raised the alarm in an email to typo3-announce@lists.typo3.org, and security firm Secunia rates the problem "highly critical". In versions 4.3.0, 4.3.1 and 4.3.2 of Typo3 (as well as previous versions of the 4.4 development branch), attackers can inject PHP code from an external server and execute it within the Typo3 context.

"Advisory SA-2010-008 contains details about how to fix the problem. Upgrading to version 4.3.3 is one way of improving the situation. The vulnerability is also impossible to exploit if at least one of three PHP switches is set to "off":"

Complete Story

Related Stories: