[Typo3-dev] Security Problem - HTML
Peter Russ :: 4Dfx
peter.russ at 4dfx.de
Tue Sep 23 17:31:54 CEST 2003
René Fritz schrieb:
> Hi
>
> I read the note on heise.de which I found described a little confusing and not
> very clear.
> But they say: "Because TYPO3 don't check the users IP address ...".
>
> So why not make the security stronger than to make workarounds. Which means to
> include the IP from where a user logged in, in the current session.
This might be a problem as the IP address
1) might change if it is a dialed connection or with timeout
2) with router you might see only 1 IP address for tons of user. So if
the attacker is within the same company -> no win. So you could also
check the port number. But this changes on every request.
Solutions:
a) filter at input, i.e. disable HTML-input type and in RTE check for
malicious words (admin definable) before writing to DB.
b) extend Javascript On*-methods.
So offering a solution should be done that way that other projects which
are included into Typo extensions or contribute may benefit (e.g. phpBB
and here the problem might even exists with unkown users) as the article
on Heise was revised and no longer limits the Exploit to Typo3 ;)
Regs. Peter.
More information about the TYPO3-dev
mailing list