[Typo3] Just wondering: Why does TYPO3 expose server information
Peter Russ
peter.russ at 4many.net
Mon Jul 18 19:05:14 CEST 2005
Just read CHANGELOG on cvs and found some small hint:
"Added a die() call to protect the display of phpinfo() in
misc/phpcheck/incfile.php"
I.e. ALL TYPO3 installations exposes BY DEFAULT server information. If
this might be a security risk or not is NOT the point, but it provides
helpful information for possible attacks.
Now there is a fix only for 3.8.0 in the CVS. If you run older Versions
(i.e. 3.5 or 3.6.x or 3.7.x) you should add
<code>
die('We love TYPO3');
</code>
right at the beginning of incfile.php, if YOU are NOT interested in
exposing MORE information on YOUR server setup than YOU want.
Contacted security team this morning reaction was: "we know ... there
will be a book published end of July...". Fix is out since July 2nd :-(
As there is no further reaction on this matter as Ekkehard promised, I
decided to publish that as not every admin might read the cvs and there
was no information on that through the security team.
AGAIN: This is no direct security risk but MIGHT HELP to hack your
server depending on the installed software and versions. IMHO it should
be the admin deciding which information about the server and the
software is provided. This CAN'T be the decission of any software or
software vendor or at least there MUST BE any note - haven't found ANY
until NOW!
Also at www.typo3.org you can get some useful information if you load
above mentioned link. Might be that they run a FreeBSD test there ;-)
Regs. Peter.
_______________
www.4many.net
--
_____________________________
4Many® Services
openBC: http://www.openbc.com/go/invuid/Peter_Russ
More information about the TYPO3-english
mailing list