mm_forum - mm_forum version 1.8.3 available in TER - TYPO3 Forge

Core Community ExtensionsIncubator Distributions TYPO3 4.5 Projects TYPO3 4.6 Projects TYPO3 4.7 Projects TYPO3 6.0 Projects TYPO3 6.1 Projects TYPO3 6.2 Projects (+)

mm_forum version 1.8.3 available in TER

mm_forum 1.8.3 released in TER due to a security related issue.
Added by Martin Helmich about 3 years ago

The version 1.8.3 of the mm_forum extension is now available in the TYPO3 Extension Repository. The new version fixes a security related bug that allows Cross-Site Scripting.

The vulnerability can be avoided by using a specific TypoScript setup. The new version just modifies the default value for a specific configuration property. If for any reason, you cannot upgrade to the new version, you can fix the xss vulnerability just as good by inserting

plugin.tx_mmforum_pi1.validatorSettings.quotes = double

into your Typoscript setup. Credits go to Stefanos Karasavvidis, who initially discovered the problem.

Comments

Added by Marcus Krause about 3 years ago

Here is the related advisory TYPO3-SA-2010-007: http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-007/

Thanks to Martin Helmich for informing us.

Added by Stefan Kaufmann about 3 years ago

Hello there,
Putting the above typoscript line into setup renders the quote function unusable. The 'quote' bb code still works, but not when referred to a specific user, i.e. when using the quote-button in the forum. Regards, Stefan

e.g. [quote="username"]Zitat[/quote], this does not work
[quote]Zitat[/quote], this works