[TYPO3-dev] typo3.org login
Peter Russ
peter.russ at 4many.net
Tue Nov 18 20:24:35 CET 2008
--- Original Nachricht ---
Absender: Dmitry Dulepov
Datum: 18.11.2008 18:59:
> Hi!
>
> Erik Svendsen wrote:
>> If it's an "intrusion" with an admin account and password you may be in
>> deep shit, so guys - take extremly good care of admin accounts and their
>> passwords. An intruder may have had access for months, without doing
>> other things than putting in small pieces of backdoors and so on. As
>> admin, you may change pretty much code in the system. And as he/her are
>> using an official account, maybe no one will notive until you find some
>> signs like people trying to login to other websites.
>>
>> So the "leak" of userdata and password, are probably the part which are
>> easiest to recover from.
>
> Well, I never had Backend access to typo3.org, so I cannot tell if
> they have correct file permissions there. But if they do, the admin
> user will never be able to modify core files. Only files in
> typo3temp/, typo3conf/ and uploads/ will be accessible for writing.
> I hope that typo3.org set up was properly supervised by the security
> team.
>
If I see how this issue is handled here, I would not bet on that!
Further I'm in doubt that this will be fixed in just a few days. If that
would be that easy why wasn't it be done before as many claimed the
plain passwords are a problem? Is 4.2.x already "stable"? SCNR.
One unique password for everything either at TYPO3 or in a modern
version at OpenId is and will be always a problem. If not today. but
latest the day after tomorrow.
JM2C
Peter.
--
Fiat lux!
Docendo discimus.
_____________________________
4Many® Services
XING: http://www.xing.com/go/invuid/Peter_Russ
More information about the TYPO3-dev
mailing list