[TYPO3-english] Security non sense in felogin ?

Tonix (Antonio Nati) tonix at interazioni.it
Mon Sep 27 20:28:13 CEST 2010 

  Il 27/09/2010 19:34, Ernesto Baschny [cron IT] ha scritto:
> Tonix (Antonio Nati) schrieb am 27.09.2010 18:28:
>>   I'm examining felogin (TYPO3 4.2), and I see each time it publishes an
>> hidden field with the storage PID of users.
>> Is there any reason to publish such information on website, when there
>> are dozens of ways to pass the information to plugin?
>> If I force a logout, adding a simple logintype=Logout, without pid
>> field, it works without problems. So why adding this internal information?
> Your installation might have different SysFolders for users (multiple
> sites, multiple trees, etc). When the login is submitted, TYPO3 will
> authenticate the user before any typoscript or realurl is parsed, so he
> doesn't really have any other information at hand to decide which
> sysfolder to take.

So the user could  authenticate against every page of a typo3 website, 
despite of the fact we want force him/her to authenticate on a specific 
page?
And if he/she knows of a test/forgot users folder, he/she can anyway 
enter the site specifying additional parameters so easily?

Pretty strange... and dangerous. In this way, there are a lot of 
backdoors for huge sites with test users data. So, there is no way to 
exclude a test users folder, unless you delete it, because from ouside 
it can be always accessed and used for authentication.


> Passing them via "POST" might not seem to be the most beautiful way, but
> its the easiest.
>
> Do you have any concrete drawbacks in mind?

In security field, the world easiest is never used, specially when it 
makes so easy to break a security schema.

I feel the security authentication architecture less secure than before 
making this question.
Authentication page should be handled differently from the rest of site, 
and should be bullet proof.

Authentication page should contain a special plugin that makes only that 
page special, and disable any attempt to use other data (and do not 
publish any internal data).

Cheers,

Tonino

> Cheers,
> Ernesto
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
>


-- 
------------------------------------------------------------
         Inter at zioni            Interazioni di Antonio Nati
    http://www.interazioni.it      tonix at interazioni.it
------------------------------------------------------------

More information about the TYPO3-english mailing list