[TYPO3-dev] securing TYPO3 by disallowing execution of arbitrary code via ext_tables.php and ext_localconf.php
Dmitry Dulepov
typo3 at accio.lv
Fri Jul 21 09:54:09 CEST 2006
Hi!
Martin Kutschker wrote:
> IMHO the system were a tick more secure if TYPO3 would only then execute
> code in ext_tables.php and ext_localconf.php if there is a flag present
> in ext_emconf.php.
Why not to disallow executing code from tceforms, for example? ext_*
files are part of the extension and limiting extensions in this way will
most likely make extension useless.
-1. Just do not install it if you do not trust it.
> With this flag only ext_emconf.php must be protected. An attacker may
> not use write rights to an extenions directory to get his code into TYPO3.
So he will put his hacking code directly to ext_emconf.php. Simple...
Dmitry.
--
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-dev
mailing list