[TYPO3-dev] major security problem --> hacking of TYPO3 sites may be possible
Andreas Balzer
eMail at andreas-balzer.de
Sun Apr 30 19:20:40 CEST 2006
Michael Scharkow schrieb:
> Issue #1 is a server configuration problem not related to TYPO3 at all.
At least it's the XAMP server available on TYPO3..
> If you can't secure a webserver don't blame TYPO3 for this.
I can not see that i blamed TYPO3.. I just find it a little bit strange,
if normal people can crash the whole system by default and everyone says
'ah.. it's no problem... :)'
I mean.. Not a single firewall or antivirus app can help, if someone
uploads some killing php or shtml files..
>Even if you
> think that uploading .bat files is a security issue, you can easily
> change this in TYPO3 settings although I think it's the wrong way to fix
> the problem.
It should be added by default. I mean, i know that it's possible.. but
who thinks about that there is the possiblity to upload bad stuff even
if the most known filetypes are deactivated..
> Issue #2 is a) not reproducable for me, and b) not a security flaw.
I'm checking the logfiles how the hacker did it.. but it worked even 30
minutes after the username was DELETED. (currently don't know why)
> *You* gave the person admin permissions,
Imagine of a company where someone moved to an other and acutally can
crash your system because he was just loged in (and the browser window
stayed opend).. And do not forget, that it's possible to gain admin
access by people who actually don't have (sure, there are extensions
that avaoid that, but even they are not default in core)..
> and *you* could simply flush
> the session table if for whatever reason you have to remove a user from
> the system instantly.
that's true. but only if the hacker was not quick enough to enter your
phpmyadmin module to change all passwords..
Greetings
Andreas
P.S.: I do not want to "blame" anyone, but it's very frustrating if you
see a message "you've got hacked" not only on your website, but also on
a windows command shell that was opend by a script that was uploaded to
fileadmin..
More information about the TYPO3-dev
mailing list