[TYPO3-dev] Services architecture

[Dmitry Dulepov]

Hi!

Christian Lerrahn wrote:
> Well, but how does the current approach protect against that. If I have
> FTP access and really am out to get passwords, I just inject a service
> which comes in before rsaauth and calls it just like saltedpasswords.
> It would require about 10 lines of code extra but would still mean that
> I can capture the encrypted passwords as well.

There is no point of capturing encrypted passwords because they are one 
time only.

What you describe is possible. But it is not a reason to weaken other parts 
of the system.

> But to be honest, if I had FTP access, I would most likely not worry
> much about the passwords (even though some could be useful beyond the
> local TYPO3 install) and if I really did, I'd just uninstall rsaauth
> before injecting my own service and never bother calling for
> decryption. It is very unlikely that this would be noticed any earlier
> than the presence of the malware itself.

This is also possible. Don't use FTP and set up a file checksum monitoring 
service :)

-- 
Dmitry Dulepov
TYPO3 core&security team member
E-mail: dmitry.dulepov at typo3.org
Web: http://dmitry-dulepov.com/