[TYPO3-dev] Security Warning

Steffen Kamper steffen at dislabs.de
Thu Feb 9 19:48:16 CET 2006 

Hi Kasper,

many thanks for your warm and wise words !
I understand that (sometimes :) ) and for me the best way to work together 
is a normal and constructive way. I myself will try to give my best to 
support the project - i gave some extensions to the ter and will do a lot of 
more work to the great Typo3-community. It's really the best project for me 
in the last years - and it will grow !

Steffen


"Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag 
news:mailman.14117.1139487530.6406.typo3-dev at lists.netfielders.de...
Great Steffen, I'm happy you want to help! Welcome also since you are
new!

Sometimes all of us get caught up in stress and irritation and this
often leads to harsh answers which are not rightful. I do that too
sometimes. We must all try to be calm and friendly - and forgiving.

- kasper

"A contribution a day keeps the fork away"
-------------------------------
kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |
gizmo: kasper_typo3


On Feb 9, 2006, at 0:41 , Steffen Kamper wrote:

> Thanx Kasper for this statement.
> This is my conclusion too - but its not only TS as also this Ext  that 
> gives
> the opportunity to manipulate.
>
> I'm really glad that your answer is in a quite and normal way - i was
> astonished of the way some guys talking with eachothers. I'm really  in a
> total Typo3-Hype and want to help this project in any possible way  and 
> not
> only crying out things without thinking ...
>
> all the best ;)
> Steffen
>
> "Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag
> news:mailman.13817.1139420270.6406.typo3-dev at lists.netfielders.de...
>> No, Steffen, that is not a security problem.
>>
>> The problem is that you allow someone to execute PHP. *any*  execution 
>> of
>> PHP compromises security completely. This is for instance the   reason 
>> why
>> TypoScript Templates can only (and should only!!) be  edited by
>> admin-users because TypoScript allows them to include PHP  scripts.
>>
>> - kasper
>>
>> "A contribution a day keeps the fork away"
>> -------------------------------
>> kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |   gizmo:
>> kasper_typo3
>>
>>
>> On Feb 7, 2006, at 23:59 , Steffen Kamper wrote:
>>
>>> Hi,
>>>
>>> i discovered the possibility to get the DB-Params still if you  are  not
>>> admin
>>> and have possibilitiy to access php-scripts, e.g. with 
>>> php_page_content.
>>>
>>> Then a simple script like
>>>
>>> <?php echo "User / Passwort: ".TYPO3_db_username." /
>>> ".TYPO3_db_password; ?>
>>>
>>> prints out all necassary data.
>>>
>>> Is this a big problem for security ? What do you think about that ?
>>>
>>>
>>> _______________________________________________
>>> TYPO3-dev mailing list
>>> TYPO3-dev at lists.netfielders.de
>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>>
>
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev

More information about the TYPO3-dev mailing list