[TYPO3-dev] securing TYPO3 by disallowing execution of arbitrary code via ext_tables.php and ext_localconf.php
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Fri Jul 21 10:26:28 CEST 2006
Dmitry Dulepov schrieb:
> Hi!
>
> Martin Kutschker wrote:
>
>> IMHO the system were a tick more secure if TYPO3 would only then
>> execute code in ext_tables.php and ext_localconf.php if there is a
>> flag present in ext_emconf.php.
>
> Why not to disallow executing code from tceforms, for example? ext_*
> files are part of the extension and limiting extensions in this way will
> most likely make extension useless.
Heh? If I'm able to write an extension I'm able to set the necessary flag
in ext_emconf.php.
> -1. Just do not install it if you do not trust it.
>
>> With this flag only ext_emconf.php must be protected. An attacker may
>> not use write rights to an extenions directory to get his code into
>> TYPO3.
>
> So he will put his hacking code directly to ext_emconf.php. Simple...
I said that it is only a small enhancement. It's only a protection when you
have the extension directory writable, but you must of course secure at
least ext_emconf.php from being written.
Masi
More information about the TYPO3-dev
mailing list