[TYPO3-dev] Security Warning
S. Teuber
traveler_in_time at gmx.net
Wed Feb 8 13:32:51 CET 2006
Hi Steffen,
> Then a simple script like
>
> <?php echo "User / Passwort: ".TYPO3_db_username." /
> ".TYPO3_db_password; ?>
>
> prints out all necassary data.
>
> Is this a big problem for security ? What do you think about that ?
It's not, bacause:
a) if the user can upload PHP-scripts, he doesn't even need to know the
database's username/password, since he can do *anything* to the database by
just using the API-methods provided in $GLOBALS['TYPO3_DB'].
b) if, for some scenario, the username/password-combination is made public
to users that do not fall under a), they can't to nothing with that
information, since every reasonable admin would limit access to his
databases to certain IPs only (mostly localhost).
If remote access from any client to the database is possible, then there's
a security problem (which can only be solved by replacing the server
admin).
Sven
More information about the TYPO3-dev
mailing list