[TYPO3-dev] Hacked TYPO3 Sites
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Wed Aug 1 11:30:01 CEST 2007
Franz Holzinger schrieb:
> Martin Kutschker a écrit :
>> Franz Holzinger schrieb:
>>> Hello Martin,
>>>
>>>> Would it be securitywise better to remove PHP config files in favour of
>>>> XML files (with XML-CASE-constructs and PHP post-processing hooks) and
>>>> caching with serialized arrays?
>>> IMHO a checksum for the PHP file could be introduced and stored in the
>>> database with logging and also another file. A warning could be sent to
>>> the admin, if the checksum of the PHP file has become invalid. This is
>>> done already in the EM with the extensions files. So only a TYPO3
>>> backend admin could install new extensions and reset the checksum
>>> automatically.
>> But if I can write, I can easily read any salts needed to ceate the
>> checksum myself.
>
> Yes, but you need access to the database, if the checksum is stored
> there. IMHO an external TYPO3 observer installation is needed to detect
> such intrusions.
Getting access to the DB is easy. Either try using the open TYPO3
connection or simply read localconf.php
Masi
More information about the TYPO3-dev
mailing list