[TYPO3-dev] securing the DB for FE access
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Fri Jul 21 10:09:36 CEST 2006
Dmitry Dulepov schrieb:
>
> Theoretically your proposal may lead to a more secure system but only
> theoretically. I do not see immediate practical benefits. Even if we
> require three new users, this will not gives us anything in return. Do
> you understand what I mean? By using .htaccess and "Require" you can get
> actual visible result. By just requesting three users with different db
> rights - I doubt.
The idea is to secure the DB itself. Any attacker using the current DB
connecion may read and write to the DB at will if he tricks a weak part of
the system (possibly an extension, hopefully never the Core) into execution
malicious SQL code.
Lowering the DB rights minimizes this risk.
> Sorry but I think we have more important things to do.
Don't we have a secutity team? I have never heard of anything from them
except a few extension warnings. There is a lot fine tuning to (eg securing
all file uploads with is_uploaded_file()).
Masi
More information about the TYPO3-dev
mailing list