[TYPO3-dev] Idea for hardened TYPO3 BE-User-Accounts
Christian Trabold
typo3 at christian-trabold.de
Thu Oct 25 23:27:52 CEST 2007
Hi,
while thinking about TYPO3 + SQL-Injections ;) the following idea poped
into my mind:
What about a new field in be_users which stores a value (the salt) which
is unique for the given TYPO3-Installation (eg TYPO3-Encryption-Key).
If a backend user logs into the backend this value is checked against
the current TYPO3-Encryption-Key.
Example:
SELECT username,
password
FROM be_users
WHERE username = $username
AND password = $p_field
AND salt = $TYPO3_CONF_VARS['SYS']['encryptionKey']
*WHY all this?*
Well, IF a hacker find's a security hole to fire up SQL-injections, he
could not create an admin- nor an ordinary backend account unless he
knows the encryption key of the site.
Of course this does not prevent the hacker from doing other bad things
with the DB but it could be a good prevention of a silent takeover of
the TYPO3-Backend (eg. if the hacker creates a custom built admin which
will not be recognized by other BE-Admins).
I'd like to hear your opinion about this idea. Could this be a real
hardener?
Greetings
Christian
More information about the TYPO3-dev
mailing list