[TYPO3-dev] Thoughts about security in BE
Steffen Kamper
steffen at sk-typo3.de
Fri Jan 18 13:09:57 CET 2008
"Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
news:mailman.1.1200655989.28496.typo3-dev at lists.netfielders.de...
> Georg Ringer wrote:
>> Hi Marucs,
>>
>> changes concering extensions can just be done by an admin and an admin
>> should know what he does!
>
> If someone highjacked an admin accound via XSS, admin is someone else not
> the person that you intended to be admin!
>
>
>> And I guess no hack works via the backend but directly to the database
>> with
>> an UPDATE/INSERT/DELETE query.
>
> Think about a person described above fires a "TRUNCATE TABLE pages" with
> phpmyadmin!
>
>
why not using .htaccess for phpmyadmin?
vg Steffen
More information about the TYPO3-dev
mailing list