FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- Remote Code Execution

Affected packages
4.6 <= typo3 < 4.6.2
typo3 < 4.5.9

Details

VuXML ID 3c957a3e-2978-11e1-89b4-001ec9578670
Discovery 2011-12-16
Entry 2011-12-18

The typo3 security team reports:

A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation.

This is caused by a PHP file, which is part of the workspaces system extension, that does not validate passed arguments.

References

CVE Name CVE-2011-4614
URL http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/