[TYPO3-dev] Thoughts about security in BE
Ernesto Baschny [cron IT]
ernst at cron-it.de
Fri Jan 18 16:52:33 CET 2008
Steffen Kamper wrote: on 18.01.2008 13:38:
>>>>> why not using .htaccess for phpmyadmin?
>>>> If you ship phpmyadmin with a set .htaccess file, everybody - also
>>>> attackers - would know the password. This would also require that
>>>> .htaccess-files are allowed to set by webserver configuration.
>>>> If you ship phpmyadmin with a deactived ready to use .htaccess-file this
>>>> requires the admin to activate it first to profit from improved
>>>> security. Therefore this type of installation would be as secure as
>>>> current one.
>>> There are other possibilities. Checking for existing .htaccess. If's
>>> missing, only show a screen with Error: Missing .htaccess
>>> Any admin can create own htaccess.
>> You got me. ;-)
>> That's also a possibility. But this would also require that webserver
>> configuration allows to use htaccess-files at all!
>
> without there is no phpadmin ;-)
> without there is no realurl or others like that. It's imho a recommendation
> for TYPO3.
There is not only apache out there, I hear... :) IIS doesn't have
.htaccess files. Other Webservers are also different. So this cannot be
the "real" solution.
Cheers,
Ernesto
More information about the TYPO3-dev
mailing list