[TYPO3-dev] Improvement against SQL injections
Lars Houmark
lars at houmark.com
Sat Jun 16 07:33:47 CEST 2007
On 16/06/07 0:01, in article
mailman.328549.1181944892.21067.typo3-dev at lists.netfielders.de, "Felix
Eckhofer" <fe at studioneun.de> wrote:
> Hi.
>
> On Friday, 15. June 2007, Lars Houmark wrote:
>> By having a simple file, with this array with checksums, this is no
>> longer possible. We think that the macina_banners case used exactly
>> this method and gave the evil person a very extensive access to the
>> actual installation.
>
> Well, would this actually enhance security? The evil hacker might be no
> longer be able to create a be-user but he would be still able to do
> (almost) everything he could do if he had created a be-user.
> He would still be able to arbitrarily create/edit/delete page content
> and modify templates.
> Where is the improvement on a database-centered platform like Typo3?
>
>
> regards
> felix
Yes, as I said in my initial post, the evil hacker may be able to
delete/modify/add records to different database tables, but;
He would not be able to add a new backend user and gain access to the
backend and by that uploading malicious scripts which would make him able to
edit sourcefiles and by that take control of the website.
So, even though he has access to the maybe deleting all backend users or
deleting pages, he would at least not be able to delete the entire
installation or install other spytools which is not discovered until they
have been used for a long period of time.
This is not ensuring the entire system, and still leaves some possibility to
leave some damage. But at least it is a step in the right way and closes one
way of getting access to the entire system.
- Lars
More information about the TYPO3-dev
mailing list