Password recovery for frontend users before TYPO3 4.3 was poor and insecure. Passwords were sent by e-mail in plain text, the recovery form could be abused and revealed private information to public. While implementing the felogin sysext for a community website, I surprisingly found some fundamental changes in the recovery method in TYPO3 4.3.
A frequently used feature of TypoScript is stdWrap. It provides many functions and wrappers to parse your data. It serves as a multipurpose parsing suite with helpers of any kind. dataWrap is one of the most powerful among them, but it's also one of the most tricky ones. Read on for a little demonstration on how to add security to your TypoScript by applying the stdWrap function "htmlSpecialChars" to data in dataWrap...
Whenever you are using GET/POST parameters in SQL queries, you have to face the risk of running into SQL injection. The golden rule here is not to trust user parameters, but always properly check and escape values. This article introduces a TYPO3 extension, which helps to sanitize parameters by extending TypoScript stdWrap. PLEASE ALSO READ THE COMMENTS ON THIS ARTICLE FOR UPDATES IN THE TYPO3 CORE TO TACKLE THIS ISSUE!
Using GET/POST vars in SQL queries involves the risk of SQL injection if the parameter is not properly sanitized. There are lots of warnings and documents around in the web on how to prevent this in PHP scripts. But what about TypoScript?
The security team long time ago promised to release a ruleset for a Web Application Firewall (WAF) based on Apache's mod_security. Some are still waiting for an official announcement after the conference talk at T3CON07. And some have heard about it on todays talk at T3CON08.
Today, the TYPO3 security team released a collective security bulletin. Since I am the author of one extension which was listed in the bulletin (kw_secdir), I'd like to comment this a little bit. Especially the severity of "high" sounds evil, but it's IMHO less dangerous than some might think.