[TYPO3-dev] Thoughts about security in BE
Marcus Krause
marcus.krause at tu-clausthal.de
Fri Jan 18 13:05:04 CET 2008
Steffen Kamper wrote:
> Hi Marcus,
>
> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
> news:mailman.1.1200654568.10056.typo3-dev at lists.netfielders.de...
>> Hi Devs!
>>
>>
>> As XSS is a major problem mainly for third party extensions and affects
>> not only them but also TYPO3 itself (BE etc.) and you simply cannot review
>> them all, I would suggest securing security related functions in BE.
>> In my opinion this would include following:
>>
>> - Password changes to user accounts requires old/current password
>> - before using extension phpmyadmin you should explicitely requested to
>> insert current password
>> - before installing extensions with ext-manager you should explicitely
>> requested to insert current password
>>
>>
>> What do you think? Any more points to be added to above list?
>>
>>
>> Cheers,
>> Marcus.
>
> i think several points asking for password is very annoying for users and
> not the right way - this can be end up with pw-entry with nearly every
> action.
A normal NON-Admin BE-User should only be affected by sharpened security
messures when he wants to change his password.
Only admins will needed to insert credentials to authenticate usage of security
related modules.
> If there are vulnerables in Core with XSS they should be removed.
> A good start is the removeXSS-class, which is currently integrated in core.
> There are some bugs inside, which should be removed, so this class can be
> used in core (and in extensions as well).
If there would be any XSS-vulnerability in an extension this could also be lead
to a highjacked admin account! ;-)
> As XSS could be verry tricky, information in this direction is very
> important. I know, showing possible XSS is also good information for
> Attackers (but they are mostly one step further), but many devs should be
> made sensible for this. You and the security team knows best where the
> vulnerables are, but core team can be overstrained with fixing them all, so
> help from other devs is important.
Information policy regarded to that could definetely be improved.
More information about the TYPO3-dev
mailing list