[TYPO3-dev] Security Warning
Martin Seebach
martin at biplane.dk
Wed Feb 8 11:50:32 CET 2006
On Wednesday 08 February 2006 01:28, Alexander Schlegel wrote:
> "Elmar Hinz" <elmar.DOT.hinz at team.MINUS.red.DOT.net> schrieb im Newsbeitrag
> > > <?php echo "User / Passwort: ".TYPO3_db_username." /
> ".TYPO3_db_password; ?>
> > > Is this a big problem for security ? What do you think about that ?
> > It tells me that you shouldn't allow non admins to insert any script
> independent
> > of the method of insertion.
> I think, You consider it a little bit too careless. For me it`s a security
> lack, too. Nobody should be able to get this information in this simple
> manner.
No, really, it's fine. Actually, it's easier that that, just read
localconf.php (it's more likely that you'll find a hole that allows you to
read a file than one that will allow you to execute PHP code)
The username and password gives you access to the database - as a matter of
fact the *exact* same access that is available with the default TYPO3
database API functions. And you should never allow connections to your
database server from the outside.
This is a non-problem.. ;)
// Martin
More information about the TYPO3-dev
mailing list