[TYPO3-dev] Security Warning
Steffen Kamper
steffen at dislabs.de
Thu Feb 9 19:48:16 CET 2006
Hi Kasper,
many thanks for your warm and wise words !
I understand that (sometimes :) ) and for me the best way to work together
is a normal and constructive way. I myself will try to give my best to
support the project - i gave some extensions to the ter and will do a lot of
more work to the great Typo3-community. It's really the best project for me
in the last years - and it will grow !
Steffen
"Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag
news:mailman.14117.1139487530.6406.typo3-dev at lists.netfielders.de...
Great Steffen, I'm happy you want to help! Welcome also since you are
new!
Sometimes all of us get caught up in stress and irritation and this
often leads to harsh answers which are not rightful. I do that too
sometimes. We must all try to be calm and friendly - and forgiving.
- kasper
"A contribution a day keeps the fork away"
-------------------------------
kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |
gizmo: kasper_typo3
On Feb 9, 2006, at 0:41 , Steffen Kamper wrote:
> Thanx Kasper for this statement.
> This is my conclusion too - but its not only TS as also this Ext that
> gives
> the opportunity to manipulate.
>
> I'm really glad that your answer is in a quite and normal way - i was
> astonished of the way some guys talking with eachothers. I'm really in a
> total Typo3-Hype and want to help this project in any possible way and
> not
> only crying out things without thinking ...
>
> all the best ;)
> Steffen
>
> "Kasper Skårhøj" <kasper2006 at typo3.com> schrieb im Newsbeitrag
> news:mailman.13817.1139420270.6406.typo3-dev at lists.netfielders.de...
>> No, Steffen, that is not a security problem.
>>
>> The problem is that you allow someone to execute PHP. *any* execution
>> of
>> PHP compromises security completely. This is for instance the reason
>> why
>> TypoScript Templates can only (and should only!!) be edited by
>> admin-users because TypoScript allows them to include PHP scripts.
>>
>> - kasper
>>
>> "A contribution a day keeps the fork away"
>> -------------------------------
>> kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej | gizmo:
>> kasper_typo3
>>
>>
>> On Feb 7, 2006, at 23:59 , Steffen Kamper wrote:
>>
>>> Hi,
>>>
>>> i discovered the possibility to get the DB-Params still if you are not
>>> admin
>>> and have possibilitiy to access php-scripts, e.g. with
>>> php_page_content.
>>>
>>> Then a simple script like
>>>
>>> <?php echo "User / Passwort: ".TYPO3_db_username." /
>>> ".TYPO3_db_password; ?>
>>>
>>> prints out all necassary data.
>>>
>>> Is this a big problem for security ? What do you think about that ?
>>>
>>>
>>> _______________________________________________
>>> TYPO3-dev mailing list
>>> TYPO3-dev at lists.netfielders.de
>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>>
>
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
More information about the TYPO3-dev
mailing list