[Typo3-dev] BE Login through URL?
Christoph Moeller
moeller at network-publishing.de
Thu May 27 10:46:34 CEST 2004
Hi Stig,
Stig N. Jepsen schrieb:
> So what Markus Lange does on this homepage:
> http://typo3.bgm-gmbh.de/news.0.html (click on the red 'Login')
> is basically insecure?
Well...it does exactly what it's supposed to do: it transfers people to
the filled-in login page, thus enabling them to do editing without
having to give the credentials themselves. I'd say this is wanted in
this case, not necessarily insecure. Although, your site is then open to
the known JS attack (BE users can steal the admin session) - as stated
by Andreas Schwarzkopf - which has been fixed by an additional security
setting. Plus, you are then able to view (read-only) the entire site
tree at http://typo3.bgm-gmbh.de/typo3/alt_main.php, of course (that can
further be locked down by using DB mounts).
Greets,
Chris
More information about the TYPO3-dev
mailing list