It has been discovered that the extension 404 Error Page Handling (error_404_handling) is susceptible to SQL Injection attacks.
Component Type: Third party extension. This extensions is not part of the TYPO3 default installation.
Affected Versions: 0.1.1 and all versions below
Vulnerability Type: SQL Injection
Release Date: 14.04.2010
Problem Description: Failing to validate and sanitize user input the extension is susceptible to SQL Injection, making it possible to manipulate SQL queries by injecting arbitrary SQL code..
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. At the time of writing, we don't know of a security update of the extension regarding the existing vulnerability, since we have been unable to get in contact with the author. For the time being please uninstall this extension and delete all files belonging to it from your TYPO3 installation.
Solution: Should the author decide to reply to our request and provide a fixed version, the extension could return to the TYPO3 Extension Repository.
Credits: Credits go to Frederic Gaus, who discovered and reported the issue.