[TYPO3-dev] Security Warning
Dmitry Dulepov
typo3 at fm-world.ru
Wed Feb 8 09:10:12 CET 2006
Hi!
Steffen Kamper wrote:
> i discovered the possibility to get the DB-Params still if you are not
admin
> and have possibilitiy to access php-scripts, e.g. with php_page_content.
>
> Then a simple script like
>
> <?php echo "User / Passwort: ".TYPO3_db_username." /
".TYPO3_db_password; ?>
>
> prints out all necassary data.
>
> Is this a big problem for security ? What do you think about that ?
So, you know mysql user name and password. What's next? How do you use
it? Most mysqls run for localhost connections only, they do not allow
remote connections. So you need shell access to run mysql tool or ftp
access to upload harmful script. Usually passwords for shell/ftp are
different and hacker is out of luck here.
What harm can you do *remotely* using mysql user name and password? If
you can upload any acript to the site, you can do almost anything (for
example, erase localconf.php and block typo3 site completely) but mysql
user name and password will not help you to upload such script.
So, what is the threat?
Dmitry.
--
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-dev
mailing list