[TYPO3-dev] Thoughts about security in BE
Steffen Kamper
steffen at sk-typo3.de
Fri Jan 18 12:51:23 CET 2008
Hi Marcus,
"Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
news:mailman.1.1200654568.10056.typo3-dev at lists.netfielders.de...
> Hi Devs!
>
>
> As XSS is a major problem mainly for third party extensions and affects
> not only them but also TYPO3 itself (BE etc.) and you simply cannot review
> them all, I would suggest securing security related functions in BE.
> In my opinion this would include following:
>
> - Password changes to user accounts requires old/current password
> - before using extension phpmyadmin you should explicitely requested to
> insert current password
> - before installing extensions with ext-manager you should explicitely
> requested to insert current password
>
>
> What do you think? Any more points to be added to above list?
>
>
> Cheers,
> Marcus.
i think several points asking for password is very annoying for users and
not the right way - this can be end up with pw-entry with nearly every
action.
If there are vulnerables in Core with XSS they should be removed.
A good start is the removeXSS-class, which is currently integrated in core.
There are some bugs inside, which should be removed, so this class can be
used in core (and in extensions as well).
As XSS could be verry tricky, information in this direction is very
important. I know, showing possible XSS is also good information for
Attackers (but they are mostly one step further), but many devs should be
made sensible for this. You and the security team knows best where the
vulnerables are, but core team can be overstrained with fixing them all, so
help from other devs is important.
vg Steffen
More information about the TYPO3-dev
mailing list