SQL Injection in fechangepassword

ID TYPO3-20070710-1
Type typo3
Reporter TYPO3 Association
Modified 2007-07-10T00:00:00


It has been discovered that the extension fechangepassword is open for a SQL injection when updating the password.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation

Affected Versions: Version 2.1.2 and all versions below

Vulnerability Type: SQL Injection

Severity: HIGH

Problem Description: When changing the password, it is possible to post malicious data injecting the SQL update query.

Solution: An updated version is available from the TYPO3 extension manager at http://typo3.org/extensions/repository/view/fechangepassword/2.2.0/

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook.

Credits: Credits go to Allan Jacobsen who is the author and fixed the issue.