Debian Security Advisory
DSA-2646-1 typo3-src -- several vulnerabilities
- Date Reported:
- 15 Mar 2013
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 702574.
In Mitre's CVE dictionary: CVE-2013-1842, CVE-2013-1843.
- More information:
TYPO3, a PHP-based content management system, was found vulnerable to several vulnerabilities.
Helmut Hummel and Markus Opahle discovered that the Extbase database layer was not correctly sanitizing user input when using the Query object model. This can lead to SQL injection by a malicious user inputing crafted relation values.
Missing user input validation in the access tracking mechanism could lead to arbitrary URL redirection.
Note: the fix will break already published links. Upstream advisory TYPO3-CORE-SA-2013-001 has more information on how to mitigate that.
For the stable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze8.
For the testing distribution (wheezy), these problems have been fixed in version 4.5.19+dfsg1-5.
For the unstable distribution (sid), these problems have been fixed in version 4.5.19+dfsg1-5.
We recommend that you upgrade your typo3-src packages.