[TYPO3-dev] Security Warning
Elmar Hinz
elmar.DOT.hinz at team.MINUS.red.DOT.net
Wed Feb 8 00:33:35 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steffen Kamper schrieb:
> Hi,
>
> i discovered the possibility to get the DB-Params still if you are not admin
> and have possibilitiy to access php-scripts, e.g. with php_page_content.
>
> Then a simple script like
>
> <?php echo "User / Passwort: ".TYPO3_db_username." / ".TYPO3_db_password; ?>
>
> prints out all necassary data.
>
> Is this a big problem for security ? What do you think about that ?
>
>
It tells me that you shouldn't allow non admins to insert any script independent
of the method of insertion.
/el
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFD6S5PO976RNoy/18RAtMQAJ9v8eLjSKAQlcYmDJ6T4YHChlccjgCgs14l
2ZME6plMN8uT9209PyzH7h4=
=3f8m
-----END PGP SIGNATURE-----
More information about the TYPO3-dev
mailing list