Nicht selten sind Extensions für Kompromittierungen von Typo3 Systemen verantwortlich, weshalb es sich stets empfiehlt die Anzahl der Fremdextensions so gering wie möglich zu halten. Darüber hinaus am besten nur Extensions nutzen, die regelmäßig überarbeitet und weiterentwickelt werden.
Anbei die betreffenden Extensions, bzw. deren Key:
- TYPO3-EXT-SA-2016-028: Cross-Site Scripting in extension "Store Locator" (locator) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-028/
- TYPO3-EXT-SA-2016-029: Insecure Unserialize and SQL Injection in extension "Code Highlighter" (mh_code_highlighter) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-029/
- TYPO3-EXT-SA-2016-030: SQL Injection in extension "Shibboleth Authentication" (shibboleth_auth) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-030/
- TYPO3-EXT-SA-2016-031: Cross Site-Scripting in extension "Secure Download Form" (rs_securedownload) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-031/
- TYPO3-EXT-SA-2016-032: SQL Injection in extension "Member Infosheets" (if_membersheet) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-032/
- TYPO3-EXT-SA-2016-033: Unvalidated Redirect in extension "TC Directmail" (tcdirectmail) typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2016-033/
Darüber hinaus ein paar generelle hilfreiche Infos:
The TYPO3 Security Guide:
https://docs.typo3.org/typo3cms/SecurityGuide/
Make sure you are subscribed to the TYPO3 Announce List:
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce
See all TYPO3 security advisories: