SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   TYPO3 Vendors:   typo3.org
TYPO3 Links Section Input Validation Hole in 'category_uid' Permits SQL Injection
SecurityTracker Alert ID:  1013364
SecurityTracker URL:  http://securitytracker.com/id/1013364
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Mar 5 2005
Original Entry Date:  Mar 3 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in TYPO3 in the Links Section add-on. A remote user can inject SQL commands.

The software does not properly validate user-supplied input in the 'category_uid' variable. A remote user can submit a specially crafted URL to execute SQL commands on the underlying database.

The vulnerability resides in the Links Section add-on module.

A demonstration exploit URL is provided:

http://[UrlToLinksSection]?&no_cache=1&action=getviewcategory&category_uid=1%20or%201=1

Neonomicus reported this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.typo3.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 5 2005 (Vendor Issues Fix for cmw_linklist) TYPO3 Links Section Input Validation Hole in 'category_uid' Permits SQL Injection
The vendor has issued a fix.



 Source Message Contents

Subject:  TYPO3 SQL Injection vunerabilitie




Hello Bugtraq :)
Two week ago I found a SQL Inejetion vulnerabilitie in Typo3 (in the links-section/module/whatever you call it).
I didn't really try to develope an exploit because I thought typo3 would directly react. 
But unfortunately that didn't happen :/

So here is the url that "exploits" the vulnerabilitie in a friendly way ;)

http://[UrlToLinksSection]?&no_cache=1&action=getviewcategory&category_uid=1%20or%201=1

Maybe someone will find a way to exploit this one in a maliceous way so get typo3 to update it's software!

C ya
Neonomicus :)

Greets go out to:
Visus, Data-Storm-Industries-crew, Feanor, juck, the orkut-community :D, everybody I forgot ^^

Visit me at http://data-storm.com :)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC