[TYPO3-dev] Security Warning
Steffen Kamper
steffen at dislabs.de
Thu Feb 9 00:41:01 CET 2006
Thanx Kasper for this statement.
This is my conclusion too - but its not only TS as also this Ext that gives
the opportunity to manipulate.
I'm really glad that your answer is in a quite and normal way - i was
astonished of the way some guys talking with eachothers. I'm really in a
total Typo3-Hype and want to help this project in any possible way and not
only crying out things without thinking ...
all the best ;)
Steffen
"Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag
news:mailman.13817.1139420270.6406.typo3-dev at lists.netfielders.de...
> No, Steffen, that is not a security problem.
>
> The problem is that you allow someone to execute PHP. *any* execution of
> PHP compromises security completely. This is for instance the reason why
> TypoScript Templates can only (and should only!!) be edited by
> admin-users because TypoScript allows them to include PHP scripts.
>
> - kasper
>
> "A contribution a day keeps the fork away"
> -------------------------------
> kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej | gizmo:
> kasper_typo3
>
>
> On Feb 7, 2006, at 23:59 , Steffen Kamper wrote:
>
>> Hi,
>>
>> i discovered the possibility to get the DB-Params still if you are not
>> admin
>> and have possibilitiy to access php-scripts, e.g. with php_page_content.
>>
>> Then a simple script like
>>
>> <?php echo "User / Passwort: ".TYPO3_db_username." /
>> ".TYPO3_db_password; ?>
>>
>> prints out all necassary data.
>>
>> Is this a big problem for security ? What do you think about that ?
>>
>>
>> _______________________________________________
>> TYPO3-dev mailing list
>> TYPO3-dev at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
More information about the TYPO3-dev
mailing list