[TYPO3-dev] Security Warning
Alexander Schlegel
alexander.schlegel at nezzgo.com
Wed Feb 8 01:28:05 CET 2006
"Elmar Hinz" <elmar.DOT.hinz at team.MINUS.red.DOT.net> schrieb im Newsbeitrag
news:mailman.1.1139355228.2324.typo3-dev at lists.netfielders.de...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Steffen Kamper schrieb:
> > Hi,
> >
> > i discovered the possibility to get the DB-Params still if you are not
admin
> > and have possibilitiy to access php-scripts, e.g. with php_page_content.
> >
> > Then a simple script like
> >
> > <?php echo "User / Passwort: ".TYPO3_db_username." /
".TYPO3_db_password; ?>
> >
> > prints out all necassary data.
> >
> > Is this a big problem for security ? What do you think about that ?
> >
> >
>
> It tells me that you shouldn't allow non admins to insert any script
independent
> of the method of insertion.
>
> /el
I think, You consider it a little bit too careless. For me it`s a security
lack, too. Nobody should be able to get this information in this simple
manner.
Alexander
More information about the TYPO3-dev
mailing list