[Typo3] Just wondering: Why does TYPO3 expose server information

[Peter Russ]

Just read CHANGELOG on cvs and found some small hint:

"Added a die() call to protect the display of phpinfo() in 
misc/phpcheck/incfile.php"

I.e. ALL TYPO3 installations exposes BY DEFAULT server information. If 
this might be a security risk or not is NOT the point, but it provides 
helpful information for possible attacks.

Now there is a fix only for 3.8.0 in the CVS. If you run older Versions 
(i.e. 3.5 or 3.6.x or 3.7.x) you should add
<code>
die('We love TYPO3');
</code>
right at the beginning of incfile.php, if YOU are NOT interested in 
exposing MORE information on YOUR server setup than YOU want.

Contacted security team this morning reaction was: "we know ... there 
will be a book published end of July...". Fix is out since July 2nd :-(

As there is no further reaction on this matter as Ekkehard promised, I 
decided to publish that as not every admin might read the cvs and there 
was no information on that through the security team.

AGAIN: This is no direct security risk but MIGHT HELP to hack your 
server depending on the installed software and versions. IMHO it should 
be the admin deciding which information about the server and the 
software is provided. This CAN'T be the decission of any software or 
software vendor or at least there MUST BE any note - haven't found ANY 
until NOW!

Also at www.typo3.org you can get some useful information if you load 
above mentioned link. Might be that they run a FreeBSD test there ;-)

Regs. Peter.
_______________
www.4many.net

-- 
_____________________________
4Many® Services
openBC: http://www.openbc.com/go/invuid/Peter_Russ