[TYPO3-dev] Info disclosure from extension folders
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Wed Oct 25 18:06:37 CEST 2006
christian reiter schrieb:
>
> Therefore it is perhaps a good idea to configure Apache so that it does
> not deliver this information.
>
> Just forbidding access to all typo3conf/ext is of course not the solution:)
> However there is no reason why it should be possible to display the
> ext_tables.sql, the changelogs etc in the browser. When people make
> extensions themselves of course it also possible to find out some
> information by identifiying the extension name from the comments in the HTML
> source of a page where a plugin is located and then looking at the
> ext_tables.sql, wizard_form.html... etc. - all of this information should
> really be private.
The current file system layout makes it impossible to distinguish between
files that must be delivered by the Webserver PHP-scripts, certain images,
CSS-files and other web resources) and other data (PHP classes, setup and
configuration data).
IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
hide only specific files (eg "typo3conf/localconf.php" or generic file
names like "ChangeLog"), but I think it's a lot of trouble to protect all
those files and directories with Apache directives.
Masi
More information about the TYPO3-dev
mailing list