[TYPO3-dev] Thoughts about security in BE
Marcus Krause
marcus.krause at tu-clausthal.de
Fri Jan 18 12:59:28 CET 2008
Martin Kutschker wrote:
> Marcus Krause schrieb:
>>
>> - Password changes to user accounts requires old/current password
>
> Possible (Core change).
And is often used for applications in IT world.
>> - before using extension phpmyadmin you should explicitely requested
>> to insert current password
>
> I'd use a specific password for the tool, not the user's password (or
> perhaps both). Anyway this is a change of the ext which is not mainted
> by the Core team as isn't a sysext any more.
Any password would be okay (perhaps install tool?). I know, this is a third
party extension, but I was interested in what you think about that before
filling a feature request.
>> - before installing extensions with ext-manager you should explicitely
>> requested to insert current password
>
> Possible (Core change).
>
> As I undertsand you want to protect the BE against hijacking of an admin
> session. Is this correct?
Yes, that's right.
To get this effective, information about a reinserted password used for
authentication to a security releated module in BE SHOULD NOT stored into user's
session. Every call to such module would again require inserting such
credentials. Then to know what module current BE-USER is using could be
retrieved from HTTP_REFERRER or by a session variable.
More information about the TYPO3-dev
mailing list