[TYPO3-dev] typo3.org login

Dmitry Dulepov dmitry.dulepov at gmail.com
Tue Nov 18 18:59:34 CET 2008


Hi!

Erik Svendsen wrote:
> If it's an "intrusion" with an admin account and password you may be in
> deep shit, so guys - take extremly good care of admin accounts and their
> passwords. An intruder may have had access for months, without doing
> other things than putting in small pieces of backdoors and so on. As
> admin, you may change pretty much code in the system. And as he/her are
> using an official account, maybe no one will notive until you find some
> signs like people trying to login to other websites.
> 
> So the "leak" of userdata and password, are probably the part which are
> easiest to recover from.

Well, I never had Backend access to typo3.org, so I cannot tell if
they have correct file permissions there. But if they do, the admin
user will never be able to modify core files. Only files in
typo3temp/, typo3conf/ and uploads/ will be accessible for writing.
I hope that typo3.org set up was properly supervised by the security
team.

-- 
Dmitry Dulepov
TYPO3 translations support
My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
In the blog: http://typo3bloke.net/post-details/ghosts_in_typo3/




More information about the TYPO3-dev mailing list