[TYPO3-dev] Security Warning
Kasper Skårhøj
kasper2006 at typo3.com
Wed Feb 8 18:38:15 CET 2006
No, Steffen, that is not a security problem.
The problem is that you allow someone to execute PHP. *any* execution
of PHP compromises security completely. This is for instance the
reason why TypoScript Templates can only (and should only!!) be
edited by admin-users because TypoScript allows them to include PHP
scripts.
- kasper
"A contribution a day keeps the fork away"
-------------------------------
kasper2006 at typo3.com | +45 20 999 115 | skype: kasperskaarhoej |
gizmo: kasper_typo3
On Feb 7, 2006, at 23:59 , Steffen Kamper wrote:
> Hi,
>
> i discovered the possibility to get the DB-Params still if you are
> not admin
> and have possibilitiy to access php-scripts, e.g. with
> php_page_content.
>
> Then a simple script like
>
> <?php echo "User / Passwort: ".TYPO3_db_username." /
> ".TYPO3_db_password; ?>
>
> prints out all necassary data.
>
> Is this a big problem for security ? What do you think about that ?
>
>
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
More information about the TYPO3-dev
mailing list