[TYPO3-dev] Security Warning

Kasper Skårhøj kasper2006 at typo3.com
Thu Feb 9 13:18:47 CET 2006 

Great Steffen, I'm happy you want to help! Welcome also since you are  
new!

Sometimes all of us get caught up in stress and irritation and this  
often leads to harsh answers which are not rightful. I do that too  
sometimes. We must all try to be calm and friendly - and forgiving.

- kasper

"A contribution a day keeps the fork away"
-------------------------------
kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |  
gizmo: kasper_typo3


On Feb 9, 2006, at 0:41 , Steffen Kamper wrote:

> Thanx Kasper for this statement.
> This is my conclusion too - but its not only TS as also this Ext  
> that gives
> the opportunity to manipulate.
>
> I'm really glad that your answer is in a quite and normal way - i was
> astonished of the way some guys talking with eachothers. I'm really  
> in a
> total Typo3-Hype and want to help this project in any possible way  
> and not
> only crying out things without thinking ...
>
> all the best ;)
> Steffen
>
> "Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag
> news:mailman.13817.1139420270.6406.typo3-dev at lists.netfielders.de...
>> No, Steffen, that is not a security problem.
>>
>> The problem is that you allow someone to execute PHP. *any*  
>> execution  of
>> PHP compromises security completely. This is for instance the   
>> reason why
>> TypoScript Templates can only (and should only!!) be  edited by
>> admin-users because TypoScript allows them to include PHP  scripts.
>>
>> - kasper
>>
>> "A contribution a day keeps the fork away"
>> -------------------------------
>> kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |   
>> gizmo:
>> kasper_typo3
>>
>>
>> On Feb 7, 2006, at 23:59 , Steffen Kamper wrote:
>>
>>> Hi,
>>>
>>> i discovered the possibility to get the DB-Params still if you  
>>> are  not
>>> admin
>>> and have possibilitiy to access php-scripts, e.g. with   
>>> php_page_content.
>>>
>>> Then a simple script like
>>>
>>> <?php echo "User / Passwort: ".TYPO3_db_username." /
>>> ".TYPO3_db_password; ?>
>>>
>>> prints out all necassary data.
>>>
>>> Is this a big problem for security ? What do you think about that ?
>>>
>>>
>>> _______________________________________________
>>> TYPO3-dev mailing list
>>> TYPO3-dev at lists.netfielders.de
>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>>
>
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev

More information about the TYPO3-dev mailing list