[TYPO3-dev] Improvement against SQL injections
Georg Ringer
mail-spam at ringerge.org
Sat Jun 16 08:57:44 CEST 2007
Hello Lars,
Lars Houmark wrote:
> We have recently seen a rather big threat with macina_banners, using
> simple SQL injections to gain backend access.
>
> That made me start thinking about how to improve the backend against
> exploits where modifications to the be_users table has been done by the
> evil person.
I can't really tell something about your idea because I've got too less
knowledge about it but I wanna say something else ;)
What is about the security reviews? It has sounded quite promising and
would be the correct way! If a new extension gets into TER, it is first
of all an unescure ext except some special cases like (just some ideas)
- having no sql query in it
- beeing just a modification in BE (like date2cal,..)
- Beeing just a small update of an secure extension.
Today, everybody disables the feature in the EM because there are no
extensions reviews, besides the language packages of 3.8.1 and 2-3 others.
I bet there are far more extensions out there which are as critical as
macina_banners and we have the luck that our clients are not the script
kiddies like at joomla because the possibility for an SQL injection was
out there since the beginning and the extension is quite often used!
We really need this review thing starting *again*
Georg
More information about the TYPO3-dev
mailing list