[TYPO3-dev] typo3.org login

[Peter Russ]

--- Original Nachricht ---
Absender:   Dmitry Dulepov
Datum:       18.11.2008 18:59:
> Hi!
> 
> Erik Svendsen wrote:
>> If it's an "intrusion" with an admin account and password you may be in
>> deep shit, so guys - take extremly good care of admin accounts and their
>> passwords. An intruder may have had access for months, without doing
>> other things than putting in small pieces of backdoors and so on. As
>> admin, you may change pretty much code in the system. And as he/her are
>> using an official account, maybe no one will notive until you find some
>> signs like people trying to login to other websites.
>>
>> So the "leak" of userdata and password, are probably the part which are
>> easiest to recover from.
> 
> Well, I never had Backend access to typo3.org, so I cannot tell if
> they have correct file permissions there. But if they do, the admin
> user will never be able to modify core files. Only files in
> typo3temp/, typo3conf/ and uploads/ will be accessible for writing.
> I hope that typo3.org set up was properly supervised by the security
> team.
> 

If I see how this issue is handled here, I would not bet on that!
Further I'm in doubt that this will be fixed in just a few days. If that 
would be that easy why wasn't it be done before as many claimed the 
plain passwords are a problem? Is 4.2.x already "stable"? SCNR.

One unique password for everything either at TYPO3 or in a modern 
version at OpenId is and will be always a problem. If not today. but 
latest the day after tomorrow.

JM2C

Peter.


-- 
Fiat lux!
Docendo discimus.
_____________________________
4Many® Services
XING: http://www.xing.com/go/invuid/Peter_Russ