[TYPO3-dev] Improvement against SQL injections (extension created)
ries van Twisk
typo3 at rvt.dds.nl
Sat Jun 16 19:50:00 CEST 2007
Hey Guys,
I just put on TER the following extension : rvt_detectsqlinjection
The extension hooks into $TYPO3_CONF_VARS['SC_OPTIONS']['tslib/
class.tslib_fe.php']['connectToDB'][] =
So right after the DB connection is created the SQL injection
delectation system is executed.
Currently it will try to find typical SQL injections (inserts/updates/
deletes)
and when that happens all execution is halted, a messages is
displayed and we send of a e-mail
to the webmaster.
Thus trying to protect all available extensions currently on TER that
don't properly handle
incoming post/get/cookie variables.
Let me know what you think of it and what areas of improvements there
are.
Ries
> I am writing a sample extension that can detect SQL injects from POST/
> GET variables
> basically the protect all FE in one go.
>
> Ries
>
> On Jun 16, 2007, at 10:46 AM, ries van Twisk wrote:
>
>>
>> On Jun 16, 2007, at 8:43 AM, Lars Houmark wrote:
>>
>>> On 16/06/07 15:19, in article
>>> mailman.329956.1181999992.21067.typo3-dev at lists.netfielders.de,
>>> "ries van
>>> Twisk" <typo3 at rvt.dds.nl> wrote:
>>>
>>>> One problem with
>>>> two DB users (now I think of it)
>>>>
>>>> os that may be that some hosters doesn't allow you to setup
>>>> two users for one database. I am not sure since I never
>>>> use a hoster to host my websites.
>>>>
>>>> I remember that once I have seen plesk and that is just a
>>>> big pain in the arse to get things done.
>>>>
>>>> Somebody know more about that?
>>>>
>>>
>>> This was exactly my point. The security of the backend is depending
>>> on first
>>> access/allowance of using two DB users and secondly that the user is
>>> actually doing it.
>>>
>>> We have learned from the coding guidelines, that even developers do
>>> not read
>>> them and create insecure extensions - otherwise we did not have this
>>> discussion.
>>>
>>> So I seek a solution where this is controlled with no user setup
>>> and by
>>> TYPO3 alone. I think your ideas about improving security with
>>> improved setup
>>> belongs in the documentation about tuning a server setup.
>>>
>>> - Lars
>>>
>>>
>>
>> Lars,
>>
>> I am not to sure how much it would really help, although
>> I don't understand it completely.
>>
>> we you are trying to prevent is unauthorized access to the BE if a
>> set
>> of tables is not valid, right?
>>
>> I think it's a nice system to block unauthorized access.
>>
>> What have we parse all get/post vars and try to detect if we see any
>> SQL queries?
>> If we see that we block access from that IP and send a mail to the
>> administrator.
>>
>> Under normal conditions in the FE you would never see any SQL query
>> at all
>> and we then protect the complete FE for all extensions in on go.
>>
>> THis will take some additional overhead (create PHP module???) bit
>> it might
>> be something to bring the security in general to a higher level.
>>
>> Ries
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-dev mailing list
>> TYPO3-dev at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
More information about the TYPO3-dev
mailing list