[TYPO3-dev] Thoughts about security in BE
Steffen Kamper
steffen at sk-typo3.de
Fri Jan 18 13:23:45 CET 2008
"Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
news:mailman.1.1200658866.5872.typo3-dev at lists.netfielders.de...
> Steffen Kamper wrote:
>> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
>> news:mailman.1.1200655989.28496.typo3-dev at lists.netfielders.de...
>>> Georg Ringer wrote:
>>>> Hi Marucs,
>>>>
>>>> changes concering extensions can just be done by an admin and an admin
>>>> should know what he does!
>>> If someone highjacked an admin accound via XSS, admin is someone else
>>> not the person that you intended to be admin!
>>>
>>>
>>>> And I guess no hack works via the backend but directly to the database
>>>> with
>>>> an UPDATE/INSERT/DELETE query.
>>> Think about a person described above fires a "TRUNCATE TABLE pages" with
>>> phpmyadmin!
>>>
>>>
>>
>>
>> why not using .htaccess for phpmyadmin?
>
> If you ship phpmyadmin with a set .htaccess file, everybody - also
> attackers - would know the password. This would also require that
> .htaccess-files are allowed to set by webserver configuration.
> If you ship phpmyadmin with a deactived ready to use .htaccess-file this
> requires the admin to activate it first to profit from improved security.
> Therefore this type of installation would be as secure as current one.
There are other possibilities. Checking for existing .htaccess. If's
missing, only show a screen with Error: Missing .htaccess
Any admin can create own htaccess.
vg Steffen
More information about the TYPO3-dev
mailing list