[TYPO3-dev] Improvement against SQL injections

Franz Holzinger franz at fholzinger.com
Mon Jun 18 14:39:38 CEST 2007 

Martin Kutschker a écrit :
> Elmar Hinz schrieb:
>>> Oh, well, this is not so simple. Of course, all data modification
>>> should go through TCEmain, it can watch and create this file. But
>>> checing it is 

A special file to check backend users would make the admin's lives
harder. And it still does not help for obtaining the infos and rights of
frontend users and changing the posts of users in a forum.
The passwords of the backend users already are encrypted. The encryption
key from the install tool could be used for the encryption of the password.

class.t3lib_uaserauth.php:
// $this->security_level for the backend must be "superchallenged"
because passwords are stored as md5-hashes in the be_users table
// $this->security_level for the frontend must be "normal" or
"challenged" because passwords are stored as clear-text in the fe_users
tables

So everyone can store a md5 hashed password. But the password should be
merged with the encryption key of the install tool. Then nobody would be
able to insert a new backend user without the knowledge of the
encryption key.
So the inserted password would be added with the encryption key. Then
the md5 sum built on the whole string and compared the the value of the
backend user's password field.
A notification email could be sent upon a new creation of a backend user
with admin priviledges (starting state hidden). The TYPO3 super admin
could be forced to edit a file in the TYPO3 folder (outside of fileadmin
and uploads) and add the name of the new backend admin there and maybe
an additional string which would be added also to the entered password
to build the md5 checksum.

>> What do you mean with "all data modification should go through TCEmain"?
>> Now, it would be a consistent way to handle things.
> 
> But we cannot enforce it. That's why I think adding extra checks this
> way won't help. Any ext. author may get direct access to DB via the PHP
> API if he wants to.

A basic check could be inserted into DBAL to be done automatically with
each DB access. And every extension which has been proved to only use
DBAL functions for DBAL access could gain a security level 1.
A security info in the EM could inform the persons about extensions
which do not use DBAL.

- Franz

More information about the TYPO3-dev mailing list