[TYPO3-dev] Thoughts about security in BE
Steffen Kamper
steffen at sk-typo3.de
Fri Jan 18 19:54:54 CET 2008
"Ernesto Baschny [cron IT]" <ernst at cron-it.de> schrieb im Newsbeitrag
news:mailman.1.1200671553.1710.typo3-dev at lists.netfielders.de...
> Steffen Kamper wrote: on 18.01.2008 13:38:
>
>>>>>> why not using .htaccess for phpmyadmin?
>>>>> If you ship phpmyadmin with a set .htaccess file, everybody - also
>>>>> attackers - would know the password. This would also require that
>>>>> .htaccess-files are allowed to set by webserver configuration.
>>>>> If you ship phpmyadmin with a deactived ready to use .htaccess-file
>>>>> this requires the admin to activate it first to profit from improved
>>>>> security. Therefore this type of installation would be as secure as
>>>>> current one.
>>>> There are other possibilities. Checking for existing .htaccess. If's
>>>> missing, only show a screen with Error: Missing .htaccess
>>>> Any admin can create own htaccess.
>>> You got me. ;-)
>>> That's also a possibility. But this would also require that webserver
>>> configuration allows to use htaccess-files at all!
>>
>> without there is no phpadmin ;-)
>> without there is no realurl or others like that. It's imho a
>> recommendation for TYPO3.
>
> There is not only apache out there, I hear... :) IIS doesn't have
> .htaccess files. Other Webservers are also different. So this cannot be
> the "real" solution.
>
> Cheers,
> Ernesto
II what? :)
How does $M deal with realurl, is there a solution?
Is there a solution for directory access? May be it could also considered in
script
if(IIS && anyDirectoryAccessMethosExists) ...
i have no expierience with IIS.
vg Steffen
More information about the TYPO3-dev
mailing list