[TYPO3-dev] Thoughts about security in BE
Steffen Ritter
info at rs-websystems.de
Fri Jan 18 19:50:55 CET 2008
Marcus Krause schrieb:
> Georg Ringer wrote:
>> Marcus Krause schrieb:
>>> Where does a typical admin in BE has to possibility to access the DB
>>> directely - by using phpmyadmin.
>>
>> and all extensions he has got direct writing access
>
> Writing access to installed extensions is by default NOT enabled and has
> to be activate by setting $TYPO3_CONF_VARS['EXT']['noEdit']
> Also with implementing suggested points admin has to authenticate first
> to use Extension Manager tool.
I personally think you react to hard. You can never secure any software
against all possible things. And as long as it will be a tool in Web so
long there will be risks. And if you want to have an admin Interface on
WEB (not secured by IP-Ranges or something else) you won't get rid of
these risks. And if you are such a kind of overcautious you must not use
a web based tool. Sure there are point you're right and we may think
about. But this must not go negative in usability. Because, if we are
realistic, most TYPO3 Installations won't ever get touched by the aim to
hijack it. And big famous public Installations have there own things
against ist (IP-Ranges). No Backend on the Webserver, but on other not
reachable machines and so on. So i do not think, there are such big
risks, since you have possibilities with .htaccess to secure special
modules, if you are in fear of hacking.
So far
greetings
Steffen
More information about the TYPO3-dev
mailing list