[TYPO3-dev] Security Warning
Dmitry Dulepov
typo3 at fm-world.ru
Wed Feb 8 10:09:59 CET 2006
Hi!
Michael Scharkow wrote:
> Dmitry Dulepov wrote:
>
>> What harm can you do *remotely* using mysql user name and password? If
>> you can upload any acript to the site, you can do almost anything (for
>> example, erase localconf.php and block typo3 site completely) but mysql
>> user name and password will not help you to upload such script.
>
> In Steffen's scenario, users *can* already mess with local php scripts,
> no need to upload one.
Yes, I understand this. I am trying to think further given his scenario.
If one places such a script somewhere one the site and tells others:
"hey, now you can always see database user name and password for this
server!". What is a practical use of this information? To my opinion, it
is nothing. Of course, if user name is "typo3" and password is
"password" you can imagine that shell user name and password are easy to
guess. But nothing more. So this information does not give anything to
attact the site remotely.
As to local attact - it is always possible in some way...
Dmitry.
--
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-dev
mailing list