[Typo3-dev] defined vars
Michael Stucki
michael at typo3.org
Thu Oct 21 00:46:52 CEST 2004
Hi Daniel,
> during writing my own extension i have called get_defined_constants().
> And i couldn´t believe what i saw:
>
> TYPO3_db real_db_name
> TYPO3_db_username real_username
> TYPO3_db_password real_password
> TYPO3_db_host real_host
>
> I think this is a security hole (typo3 v. 3.6.2).
> If i think about it, i could write an extension which is used by many
> people, and it can mail me some database accounts.
The important thing is that the account you are using here has only access
to the TYPO3 database. If that is the case then an "attacker" will only see
what he already could using the open MySQL connection.
- michael
--
Want support? Please read the list rules first: http://typo3.org/1438.0.html
More information about the TYPO3-dev
mailing list