[TYPO3-dev] Info disclosure from extension folders
Christopher Torgalson
bedlamhotel at gmail.com
Wed Oct 25 18:35:59 CEST 2006
On 10/25/06, Martin Kutschker <Martin.Kutschker at n0spam-blackbox.net> wrote:
> christian reiter schrieb:
> >
> > Therefore it is perhaps a good idea to configure Apache so that it does
> > not deliver this information.
> >
> > Just forbidding access to all typo3conf/ext is of course not the solution:)
> > However there is no reason why it should be possible to display the
> > ext_tables.sql, the changelogs etc in the browser. When people make
> > extensions themselves of course it also possible to find out some
> > information by identifiying the extension name from the comments in the HTML
> > source of a page where a plugin is located and then looking at the
> > ext_tables.sql, wizard_form.html... etc. - all of this information should
> > really be private.
>
> The current file system layout makes it impossible to distinguish between
> files that must be delivered by the Webserver PHP-scripts, certain images,
> CSS-files and other web resources) and other data (PHP classes, setup and
> configuration data).
>
> IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
> hide only specific files (eg "typo3conf/localconf.php" or generic file
> names like "ChangeLog"), but I think it's a lot of trouble to protect all
> those files and directories with Apache directives.
Really? Drupal's .htaccess file ships with this entry:
<FilesMatch "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$">
Order deny,allow
Deny from all
</FilesMatch>
...and it works--files can be accessed by local scripts but not, as
far as I can see, in any other way. Did I misunderstand what you
meant?
--
Christopher Torgalson
More information about the TYPO3-dev
mailing list