[TYPO3-dev] Security Warning
Dennis Cheung
hkdennis2k at gmail.com
Wed Feb 8 05:49:15 CET 2006
Hi,
I think TYPO3_db_username and password is not a real problem.
If you allow non-admin to run any php wrote by them.
They can do most dangerous operation to your database and filesystem.
e.g.
re-write index_ts.php, localconf.php
use $TYPO3_DB->link directly
Dennis
On 2/8/06, Ingo Renner <typo3 at ingo-renner.com> wrote:
> Am Tue, 7 Feb 2006 23:59:05 +0100 schrieb Steffen Kamper:
>
> > Hi,
> >
> > i discovered the possibility to get the DB-Params still if you are not
> admin
> > and have possibilitiy to access php-scripts, e.g. with php_page_content.
> >
> > Then a simple script like
> >
> > <?php echo "User / Passwort: ".TYPO3_db_username." / ".TYPO3_db_password;
> ?>
>
> who would have guessed that? Just do not allow anyone to install these kind
> of extensions and enforce that rule. EXT:page_php_content is evil.
>
>
> Ingo
>
> --
> Use a newsreader! Check out
> http://typo3.org/community/mailing-lists/use-a-news-reader/
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
More information about the TYPO3-dev
mailing list