FreeBSD : typo3 -- Multiple vulnerabilities in TYPO3 Core (b9a347ac-8671-11e2-b73c-0019d18c446a)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Typo Security Team reports :

Extbase Framework - Failing to sanitize user input, the Extbase
database abstraction layer is susceptible to SQL Injection. TYPO3
sites which have no Extbase extensions installed are not affected.
Extbase extensions are affected if they use the Query Object Model and
relation values are user generated input. Credits go to Helmut Hummel
and Markus Opahle who discovered and reported the issue.

Access tracking mechanism - Failing to validate user provided input,
the access tracking mechanism allows redirects to arbitrary URLs. To
fix this vulnerability, we had to break existing behaviour of TYPO3
sites that use the access tracking mechanism (jumpurl feature) to
transform links to external sites. The link generation has been
changed to include a hash that is checked before redirecting to an
external URL. This means that old links that have been distributed
(e.g. by a newsletter) will not work any more.

See also :

http://www.nessus.org/u?6092781d
http://www.nessus.org/u?327e8692

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 65068 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now