[TYPO3-dev] Services architecture
Christian Lerrahn
typo3 at penpal4u.net
Thu Mar 24 09:52:34 CET 2011
Hi Dmitry,
On Thu, 24 Mar 2011 10:42:54 +0200
Dmitry Dulepov <dmitry.dulepov at gmail.com> wrote:
> > So, I can't see how the risk becomes any more significant as a
> > result of passing the decrypted password on to the remaining
> > service chain.
>
> Get the username and password and post or mail it some Chinese
> server. That happened a lot with various system in recent months.
Well, but how does the current approach protect against that. If I have
FTP access and really am out to get passwords, I just inject a service
which comes in before rsaauth and calls it just like saltedpasswords.
It would require about 10 lines of code extra but would still mean that
I can capture the encrypted passwords as well.
But to be honest, if I had FTP access, I would most likely not worry
much about the passwords (even though some could be useful beyond the
local TYPO3 install) and if I really did, I'd just uninstall rsaauth
before injecting my own service and never bother calling for
decryption. It is very unlikely that this would be noticed any earlier
than the presence of the malware itself.
Cheers,
Christian
More information about the TYPO3-dev
mailing list