[TYPO3-dev] Thoughts about security in BE
Marcus Krause
marcus.krause at tu-clausthal.de
Mon Jan 21 23:52:39 CET 2008
Daniel Pötzinger wrote:
> Marcus Krause schrieb:
>> Georg Ringer wrote:
>>> Marcus Krause schrieb:
>>>> Where does a typical admin in BE has to possibility to access the DB
>>>> directely - by using phpmyadmin.
>>>
>>> and all extensions he has got direct writing access
>>
>> Writing access to installed extensions is by default NOT enabled and
>> has to be activate by setting $TYPO3_CONF_VARS['EXT']['noEdit']
>> Also with implementing suggested points admin has to authenticate
>> first to use Extension Manager tool.
>
> But then there is still the possibility to
> * do querys by typoscript.
> * the possibility to read DB-Access (username, password)
> * add a .inc file in fileadmin and include it with typoscript (=>
> execute any PHP)
> ....
>
> really hard to take care of all.
Indeed.
> Maybe the simpliest is protect the BE by the given possibilities:
> - force IP check, referer check etc (build in)
> - add htaccess to BE
> - force SSL
My intention is to get a DEFAULT installation of TYPO3 as secure as possible.
Any optional and currently provided measures could just be omitted when a admin
gets his installation running.
- require old/current password for password changes
- implementing authentication meachnism for phpmyadmin
- implementing authentication mechanism for EM
are quite simple but effective steps to get a default TYPO3 installation more secure
More information about the TYPO3-dev
mailing list