[TYPO3-dev] Security Warning
Steffen Kamper
steffen at dislabs.de
Wed Feb 8 09:14:13 CET 2006
My point was that there are some points of vulnerablity everyone should know
so you can pretend users using php. That is one point more to think at when
configuring BE Usergroup. On some Systems ext like php_page_content is
needed for some add. features so you must hide it for the normal BE Users.
Also the possibility to write TS.
Cause of that i wanted this discussion, maybe to show some more points of
vulnarabilty - there are surely some more, and some ext should be awared too
:)
Steffen
"Dennis Cheung" <hkdennis2k at gmail.com> schrieb im Newsbeitrag
news:mailman.13521.1139374158.6406.typo3-dev at lists.netfielders.de...
Hi,
I think TYPO3_db_username and password is not a real problem.
If you allow non-admin to run any php wrote by them.
They can do most dangerous operation to your database and filesystem.
e.g.
re-write index_ts.php, localconf.php
use $TYPO3_DB->link directly
Dennis
On 2/8/06, Ingo Renner <typo3 at ingo-renner.com> wrote:
> Am Tue, 7 Feb 2006 23:59:05 +0100 schrieb Steffen Kamper:
>
> > Hi,
> >
> > i discovered the possibility to get the DB-Params still if you are not
> admin
> > and have possibilitiy to access php-scripts, e.g. with php_page_content.
> >
> > Then a simple script like
> >
> > <?php echo "User / Passwort: ".TYPO3_db_username." /
> > ".TYPO3_db_password;
> ?>
>
> who would have guessed that? Just do not allow anyone to install these
> kind
> of extensions and enforce that rule. EXT:page_php_content is evil.
>
>
> Ingo
>
> --
> Use a newsreader! Check out
> http://typo3.org/community/mailing-lists/use-a-news-reader/
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>
More information about the TYPO3-dev
mailing list