[Typo3-dev] defined vars
Ingmar Schlecht
ingmar at typo3.org
Thu Oct 21 00:59:33 CEST 2004
Ernesto Baschny schrieb:
> If you install an extension locally it can do much worse than that.
That's exactly what I thought when reading the posting.
The fact that TYPO3 knows its database password is really just more than
obvious. How should it connect to the DB otherwise?
And, face it: All of you already knew the password was stored in
typo3conf/localconf.php.
So by just include()ing that file that evil extension programmer
would've got your DB password easily anyway.
Bottom line is: Don't execute any PHP code that you don't trust.
And: Secure your MySQL so it can't be accessed from outside.
cheers,
Ingmar
More information about the TYPO3-dev
mailing list