Security Bulletin TYPO3-20060911-1: indexed search

By: Michael Hirdes

A Cross-Site-Scripting (XSS) problem has been discovered in indexed search.

Component Type: System Extension
This Extension is Part of the TYPO3 default installation

Affected Components: Indexed Search

Versions:  2.9.0 under TYPO3 4.x

Vulnerability Type: Cross Site Scripting

Severity: medium

The search word was not escaped correctly so a prepared URL (e.g. referenced in an email) could potentially contain some unwanted JavaScript code.

Solution:

Upgrade to TYPO3 4.0.2 or apply the Patch which is provided on the  security team page under the Security Bulletin
http://typo3.org/teams/security/security-bulletins/typo3-20060911-1/

 

Credits: Special thanks to Mr. Ekkehard Gümbel who pointed this one out to us, and to Mr. Michael Stucki, who provided the Patch.

---