Month: February 2016

TYPO3 6.2.19 and TYPO3 7.6.4 released – Security Updates

On tuesday, February 23rd, the TYPO3 development team released the maintenance and security updates of TYPO3 for the versions 6.2 and 7.6. Four security patches and many bugfixes were included. Read on for details … Fixed Security Vulnerabilities Security bulletins were published for the following issues: XML External Entity (XXE) Processing in TYPO3 Core TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: low Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-005/   Cross-Site Scripting in TYPO3 component Backend TYPO3 versions:  6.2.0 to 6.2.18 Severity: low Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-006/   Cross-Site Scripting in TYPO3 component CSS styled content TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: Medium Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-007/   Denial of Service attack possibility in TYPO3 component Indexed Search  TYPO3 versions: 6.2.0 to 6.2.18 and 7.6.0 to 7.6.3 Severity: High Link to security bulletin: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-008/ All issues are solved by installing the recent versions and do not need any additional action. If you are looking the changed lines of code, which were changed, habe a look at the TYPO3 review system. The patches are tagged with “security”. You are strongly advised to install the new versions. You can download the packages from TYPO3.org. If you participate in the TYPO3 4.5 ELTS program, you have already received a notice about the updates. Bugfixes Besides the four security issues many bugfixes hit the TYPO3 core. Version 6.2.18 received two bugfixes. The most current LTS version, version 7, received 21...

Read More

Fluid Styled Content – Next Generation TYPO3 Templating

Fluid Styled Content (FSC) is the new standard for rendering the standard content elements of TYPO3 in the frontend. It is a replacement for the good old system extension “CSS Styled Content“ (CSC). The goal of FSC is to ease the templating for the frontend. This article shows how to use and customize FSC. What’s new? CSC has done the complete rendering via TypoScript since the beginning. As you probably know, it was really a pain to customize the frontend rendering, especially if it is / was not your daily business. In contrary to that FSC comes only with...

Read More

TYPO3 6.2.18 and TYPO3 7.6.3 released – Security & Bugfix Update

On tuesday, February 17th, the TYPO3 development team released the maintenance updates of TYPO3 for the versions 6.2 and 7.6. Four security patches and many bugfixes were included. Read on for details …  Fixed Security Vulnerabilities Security bulletins were published for the following issues: SQL Injection in dbal (EXT:dbal) TYPO3 versions: 6.2.0 – 6.2.17 Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-001/ If you are using dbal, you are hit by this severe issue, if you are using dbal with mysql passthrough enabled. Cross-Site Scripting in link validator component (EXT:linkvalidator) TYPO3 versions: 6.2.0 – 6.2.17, 7.6.0. – 7.62 Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-002/ This enables cross-site-scripting in the backend using the link validator. In order to exploit this issue, the attacker must have a valid backend login and access to content which is scanned by the linkvalidator. Cross-Site Scripting in content element „form” (legacy) TYPO3 versions: 6.2.0 – 6.2.17 Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-003/ A cross site scripting vulnerability was detected in the content element form. In order to exploit this issue, the attacker must have a valid backend login and access to a form content element. Cross-Site Scripting in form component (EXT:form) TYPO3 versions: 6.2.0 – 6.2.17 Link: https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-004/ This issue can be explored by any website visitor using a form, provided by the system extension “form”. The extension fails to sanitize the user input properly. All issues are solved by installing the recent versions. If you are looking the changed lines of code, which were changed,...

Read More

Image Cropping in TYPO3 Backend

Since TYPO3 version 7 there is a new image cropping tool available in the backend. It enables the editors to select and save a region of an image right where they add the image. This post explains the usage, its configuration and how to use it in your own extensions. For Editors The cropping tool available is on the tab „Media“ in the content elements of type „Text & Media“. A click on the button „Open Editor“ opens the cropping tool. On the left side of the editor there is the original image, on the right side there is...

Read More

Get in touch with TYPO3 companions

As (probably) any other open source community the TYPO3 community is distributed around the world. In order not to get lost in the digital universe, all community members should stay in contact. This should be not only by digital means, but also afk (away from keyboard). Here is an overview, how can get or stay in contact with each other. TYPO3 Usergroups TYPO3 usergroups are (in most cases) regular held meetups where you can meet local fellows. On typo3.org you find a list of current usergroups here. https://typo3.org/community/typo3-user-groups/ with 27 groups worldwide and 20 user groups in Germany. Many...

Read More