[TYPO3-dev] Services architecture
Dmitry Dulepov
dmitry.dulepov at gmail.com
Thu Mar 24 11:35:59 CET 2011
Hi!
Christian Lerrahn wrote:
> Well, but how does the current approach protect against that. If I have
> FTP access and really am out to get passwords, I just inject a service
> which comes in before rsaauth and calls it just like saltedpasswords.
> It would require about 10 lines of code extra but would still mean that
> I can capture the encrypted passwords as well.
There is no point of capturing encrypted passwords because they are one
time only.
What you describe is possible. But it is not a reason to weaken other parts
of the system.
> But to be honest, if I had FTP access, I would most likely not worry
> much about the passwords (even though some could be useful beyond the
> local TYPO3 install) and if I really did, I'd just uninstall rsaauth
> before injecting my own service and never bother calling for
> decryption. It is very unlikely that this would be noticed any earlier
> than the presence of the malware itself.
This is also possible. Don't use FTP and set up a file checksum monitoring
service :)
--
Dmitry Dulepov
TYPO3 core&security team member
E-mail: dmitry.dulepov at typo3.org
Web: http://dmitry-dulepov.com/
More information about the TYPO3-dev
mailing list