[TYPO3-dev] Thoughts about security in BE
Daniel Pötzinger
operation-lan at gmx.de
Sun Jan 20 07:03:42 CET 2008
Marcus Krause schrieb:
> Georg Ringer wrote:
>> Marcus Krause schrieb:
>>> Where does a typical admin in BE has to possibility to access the DB
>>> directely - by using phpmyadmin.
>>
>> and all extensions he has got direct writing access
>
> Writing access to installed extensions is by default NOT enabled and has
> to be activate by setting $TYPO3_CONF_VARS['EXT']['noEdit']
> Also with implementing suggested points admin has to authenticate first
> to use Extension Manager tool.
But then there is still the possibility to
* do querys by typoscript.
* the possibility to read DB-Access (username, password)
* add a .inc file in fileadmin and include it with typoscript (=>
execute any PHP)
...
really hard to take care of all.
Maybe the simpliest is protect the BE by the given possibilities:
- force IP check, referer check etc (build in)
- add htaccess to BE
- force SSL
More information about the TYPO3-dev
mailing list