A very serious security issue has been discovered in Typo3 core, all versions including 4.2.5 are affected. According to some this is the most critical security breach in Typo3 ever discovered. The vulnerability allows attackers to “download the contents of any file on the server, i.e. typo3conf/localconf.php, which holds both install tool password alongside database username and password“.
There is a fix, Typo3 version 4.2.6. which is available as of today. And there are also other solutions and patches, read carefully the security bulletin and fix your Typo3 installation if you care for your files, passwords and other data on your webserver.
Laszlo Bodor
