TYPO3 Display CSV / Excel files or database tables ('cag_tables') Extension Multiple Vulnerabilities

Bugtraq ID:	52797
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 28 2012 12:00AM
Updated:	Mar 28 2012 12:00AM
Credit:	Frederic Gaus
Vulnerable:	Typo3 Display CSV / Excel files or database tables 3.0.2
Not Vulnerable:	Typo3 Display CSV / Excel files or database tables 3.0.3

TYPO3 Display CSV / Excel files or database tables ('cag_tables') Extension Multiple Vulnerabilities

TYPO3 Display CSV / Excel files or database tables ('cag_tables') extension is prone to an unspecified SQL-injection vulnerability, a cross-site scripting vulnerability, and a file disclosure vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database to access files in the context of the web server.

Display CSV / Excel files or database tables ('cag_tables') 3.0.2 and prior versions are vulnerable.

TYPO3 Display CSV / Excel files or database tables ('cag_tables') Extension Multiple Vulnerabilities

Solution:
Updates are available; please see the references for more information.

TYPO3 Display CSV / Excel files or database tables ('cag_tables') Extension Multiple Vulnerabilities

References:

• Synnefoims Homepage (synnefoims)
  
• TYPO3 Security Bulletin TYPO3-EXT-SA-2012-005: Several vulnerabilities in third (Typo3)