[TYPO3-dev] Info disclosure from extension folders

Martin Kutschker Martin.Kutschker at n0spam-blackbox.net
Wed Oct 25 18:06:37 CEST 2006


christian reiter schrieb:
> 
> Therefore it is perhaps  a good idea  to configure Apache so  that it does
> not deliver this information.
> 
> Just forbidding access to all typo3conf/ext is of course not the solution:)
> However there is no reason why it should be possible to display the
> ext_tables.sql, the changelogs etc in the browser. When people make
> extensions themselves of course it also possible to find out some
> information by identifiying the extension name from the comments in the HTML
> source of a page where a plugin is located and then looking at the
> ext_tables.sql, wizard_form.html... etc.  - all of this information should
> really be private.

The current file system layout makes it impossible to distinguish between 
files that must be delivered by the Webserver PHP-scripts, certain images, 
CSS-files and other web resources) and other data (PHP classes, setup and 
configuration data).

IMHO this should be addresses in TYPO3 5.0, but in the meantime you can 
hide only specific files (eg "typo3conf/localconf.php" or generic file 
names like "ChangeLog"), but I think it's a lot of trouble to protect all 
those files and directories with Apache directives.

Masi




More information about the TYPO3-dev mailing list