[TYPO3-dev] Hacked TYPO3 Sites
Franz Holzinger
franz at fholzinger.com
Wed Aug 1 10:38:29 CEST 2007
Martin Kutschker a écrit :
> Franz Holzinger schrieb:
>> Hello Martin,
>>
>>> Would it be securitywise better to remove PHP config files in favour of
>>> XML files (with XML-CASE-constructs and PHP post-processing hooks) and
>>> caching with serialized arrays?
>>
>> IMHO a checksum for the PHP file could be introduced and stored in the
>> database with logging and also another file. A warning could be sent to
>> the admin, if the checksum of the PHP file has become invalid. This is
>> done already in the EM with the extensions files. So only a TYPO3
>> backend admin could install new extensions and reset the checksum
>> automatically.
>
> But if I can write, I can easily read any salts needed to ceate the
> checksum myself.
Yes, but you need access to the database, if the checksum is stored
there. IMHO an external TYPO3 observer installation is needed to detect
such intrusions.
- Franz
More information about the TYPO3-dev
mailing list