Connectivity.Engineer in its Partnership with Hop Off A Cloud – the entity which took over the hosting for Typo3USA and Web Empowered Church (WEC) has made notification to each of its WEC Typo3 platform users regarding an Exploit of the Typo3 / Web Empowered Church platform.
The News module, used by ALL WEC INSTALLS as well as being the 20th most used module of TYPO3, is subject to an SQL injection vulnerability. Sadly the author of the module has been contacted numerous times in the span of 4 months, no fix has been provided. After numerous requests – the details of the SQL injection have been released to the Typo3 Community at large.
overrideDemandis set to
1, which is the case by default.
The module is organized as an MVC architecture. As
As a user, you’re allowed to list and read news.
The former allows to define criteria to filter out news, such as the author, categories, date of publication, etc.
To learn more about the actual exploit itself – Please visit the blog post from the folks @ Ambionics.IO
Perhaps one of the most discouraging portion about this exploit is the case where the author/developer of this Extension has NOT responded:
The best way to patch this is to block users from changing the demand parameters by setting
overrideDemandto zero. Another way would be to block keys containing any case-variation and URL-encoding of
OrderByAllowed from GET and POST.