Project

General

Profile

Actions

Bug #30753

closed

SQL Injection in Scheduler Task of Linkvalidator

Added by Oliver Hader over 12 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Linkvalidator
Target version:
Start date:
2011-10-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

PoC:
  • install linkvalidator system extension
  • create new scheduler task
  • enter anything in field "start page (uid)"

The tx_linkvalidator_tasks_ValidatorAdditionalFieldProvider exectues a SQL query without casting the value to integer.

Severity: medium since only admin users can define new scheduler tasks

Affected: 4.5, 4.6


Files

sec_30753.patch (1005 Bytes) sec_30753.patch Security bug fix Oliver Hader, 2011-10-10 21:33
Actions

Also available in: Atom PDF