Vigil@nce - TYPO3 Direct Mail Subscription: SQL injection of feuser_adminLib.inc
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a SQL injection in feuser_adminLib.inc of
TYPO3 Direct Mail Subscription, in order to read or alter data.
Impacted products: TYPO3 Extensions
Severity: 2/4
Creation date: 12/02/2014
DESCRIPTION OF THE VULNERABILITY
The TYPO3 Direct Mail Subscription product uses a database.
However, user’s data are directly inserted in a SQL query via
feuser_adminLib.inc.
An attacker can therefore use a SQL injection in
feuser_adminLib.inc of TYPO3 Direct Mail Subscription, in order to
read or alter data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN