[TYPO3-dev] Thoughts about security in BE
Steffen Kamper
steffen at sk-typo3.de
Fri Jan 18 13:16:33 CET 2008
"Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
news:mailman.1.1200657650.23809.typo3-dev at lists.netfielders.de...
> Martin Kutschker wrote:
>> Marcus Krause schrieb:
>>>
>>> - Password changes to user accounts requires old/current password
>>
>> Possible (Core change).
>
> And is often used for applications in IT world.
>
>
any admin with DB-Access can simply change PW-string in DB, so it doesn't
have wanted effect.
>>> - before using extension phpmyadmin you should explicitely requested to
>>> insert current password
>>
>> I'd use a specific password for the tool, not the user's password (or
>> perhaps both). Anyway this is a change of the ext which is not mainted by
>> the Core team as isn't a sysext any more.
>
> Any password would be okay (perhaps install tool?). I know, this is a
> third party extension, but I was interested in what you think about that
> before filling a feature request.
>
>
>>> - before installing extensions with ext-manager you should explicitely
>>> requested to insert current password
>>
>> Possible (Core change).
>>
any Admin with FTP (or using tools like quixplorer) can manipulate
localconf.php without using EM.
vg Steffen
More information about the TYPO3-dev
mailing list