[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] TYPO3-SA-2010-020, TYPO3-SA-2010-022 explained

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] TYPO3-SA-2010-020, TYPO3-SA-2010-022 explained
From: Luca Carettoni <luca.carettoni@xxxxxxxxxxxx>
Date: Thu, 30 Dec 2010 20:37:49 +0100

Hello all,
As it's now fixed by the latest TYP03 security update (see
http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-022/),
I've decided to briefly explain this interesting flaw.

An exploit and a demonstration video are also available here:
http://blog.nibblesec.org/2010/12/typo3-sa-2010-020-typo3-sa-2010-022.html

Please note that coincidentally Gregor Kopf has just disclosed the same
vulnerability (among other amazing bugs!) during his BerlinSides talk
(http://gregorkopf.de/slides_berlinsides_2010.pdf). He was originally
credited in the TYPO3-SA-2010-020 bulletin, whereas in the latest update
(TYPO3-SA-2010-022) we are both credited as I've been independently
working on the same issue. Well done @teh_gerg!
 
Cheers,
Luca


-- 
Luca Carettoni <luca.carettoni@xxxxxxxxxxxx>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Universal XSS vulnerability in Ad Muncher
Next by Date: [Full-disclosure] Career Criminal Andrew Auernheimer has Violent Ideations of Law Enforcement
Previous by thread: [Full-disclosure] Universal XSS vulnerability in Ad Muncher
Next by thread: [Full-disclosure] Career Criminal Andrew Auernheimer has Violent Ideations of Law Enforcement
Index(es):
- Date
- Thread