[Typo3] Security issue with MySQL on Windows
Peter Russ
peter.russ at 4dfx.de
Sat Jan 29 19:29:27 CET 2005
Karsten Dambekalns schrieb:
> Hi Peter.
>
> Peter Russ wrote:
>
>>Karsten Dambekalns schrieb:
>>
>>>I'd like to point out a security issue that has been published yesterday
>>>by MySQL AB. It affect those who run MySQL on windows machines. Detailed
>
> ...
>
>>And what's about the alerts on Debian, Microsoft, Free-BSD etc...
>>Didn't you read that?
>>Sorry I forgot PHP to mention!
>>If we would always re-publish all alerts here it would be redundant.
>
>
> I see your point. My intention is not to republish all those annoucnements
> here. But we discussed the point of relaying security issues with
> components that are central to the majority of TYPO3 setup during the tour,
> and I still think this is a good idea.
>
> It would only be about things like IM, MySQL, Apache, PHP any maybe some
> more (remember, this has been pointed out a number of times, and noone
> complained; the same holds true for IM). It's not about fundamental things
> in every distribution or OS (those are the job of an admin).
>
> Of course we expect every TYPO3 admin to take care of this on their own, but
> this is unrealistic - sad but true. Now if some hole in some major
> component makes TYPO3 systems vulnerable, and the damage is already done,
> what then? We can rightfully point to the real cause a thousand times. it
> will still shed a wrong light on the project.
>
> This is why default permissions were discussed lately in the security team -
> the release packages are easy to install, but not secure per default.
> Everyone *should* read the README and secure their setup, but... So this
> will change: rather have frustrated (first time) users then insecure
> setups.
>
>
>>I would apprecicate if we could concentrate on Typo3.
>
>
> Sure. So, if the above is nonsense, we won't do it again. I mean it. Any
> suggestions and comments?
>
> Regards,
> Karsten
>
Hallo Karsten,
as you mentioned the main "security hole" is the person setting up
Typo3. How many admin/passwords are still unchanged on production sites?
This shows me that providing an information and understanding the
content is something totaly different.
For example the IM alert: only interesting for PSD files with more than
25 layers.... But the impression here is that Typo has a serious problem
because IM has a overflow.
So I think it's less helpful to just provide the information without
explaining the impact on Typo3. What's about a "Security Alert Team":
when ever an alert rises they publish a ranking from "no influence on
Typo3" upto "Fix it otherwise you site will go done".
Something similar to
http://www.whitehouse.gov/news/releases/2002/03/images/200-hsas-chart.jpg
;-)
Regs. Peter
More information about the TYPO3-english
mailing list