[TYPO3-dev] major security problem --> hacking of TYPO3 sites may be possible
Michael Scharkow
mscharkow at gmx.net
Sun Apr 30 18:42:57 CEST 2006
Andreas Balzer wrote:
> See 0003386 and 0003385 in bug tracking. TYPO3 can be hacked by users
> that -->had<-- admin rights and users that even do not had them.
>
> Should be fixed as soon as possible.
>
> Greetings
> Andreas
>
> P.S.: Any instructions for security related problems would be
> appreciated.. Just got hacked and wanted to report...
Andreas,
please refrain from posting such blatantly misleading subject lines
related to security, not to mention that we have a list for this.
Issue #1 is a server configuration problem not related to TYPO3 at all.
If you can't secure a webserver don't blame TYPO3 for this. Even if you
think that uploading .bat files is a security issue, you can easily
change this in TYPO3 settings although I think it's the wrong way to fix
the problem.
Issue #2 is a) not reproducable for me, and b) not a security flaw.
*You* gave the person admin permissions, and *you* could simply flush
the session table if for whatever reason you have to remove a user from
the system instantly.
And last not least: Logging in simultaneously from various places is
possible in every OS I know of, except Windows 98, and nobody ever came
up with the idea that this might be a security risk.
Cheers,
Michael
More information about the TYPO3-dev
mailing list