[Typo3-dev] defined vars
Jan-Erik Revsbech
jer at moccompany.com
Wed Oct 20 15:08:37 CEST 2004
You just make sure that MySQL is set up such that the user TYPO3_db_username
is only allowed to connect from localhost (or the host where your webserver
is running). This way you would need a login on the local machine to access
the db. I can see that it is still sort of a security hole, but it is not so
critical in my oppinion.
/Jan-Erik
----- Original Message -----
From: "Daniel Gercke" <gercke at hnm.de>
To: "List for Core-/Extension development" <typo3-dev at lists.netfielders.de>
Sent: Wednesday, October 20, 2004 1:59 PM
Subject: [Typo3-dev] defined vars
> Hi all,
>
> during writing my own extension i have called get_defined_constants().
> And i couldn´t believe what i saw:
>
> TYPO3_db real_db_name
> TYPO3_db_username real_username
> TYPO3_db_password real_password
> TYPO3_db_host real_host
>
> I think this is a security hole (typo3 v. 3.6.2).
> If i think about it, i could write an extension which is used by many
> people, and it can mail me some database accounts.
>
> --
>
> Daniel Gercke
>
> programmierung . system managements
>
>
> --
> haus neuer medien GmbH . agentur fuer neuen antrieb
> .
> Tel 03834 8313 0 . Fax 8313 13 . info at hnm.de . www.hnm.de
> Wolgaster Strasse 146 (Ollmannsche Villa) . 17489 Greifswald
> AG Stralsund HRB 5089 . Geschaeftsfuehrer RA Daniel Scheibner
> .
> --
> [Diese Nachricht gilt als frei von Viren und gefaehrlichen Dateianhaengen.
> Schutz vor Viren und Spam von haus neuer medien. Bei Fragen oder Interesse
Kontakt ueber mailscanner at hnm.de oder 03834 83130.]
>
> _______________________________________________
> Typo3-dev mailing list
> Typo3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
More information about the TYPO3-dev
mailing list