[TYPO3-dev] Thoughts about security in BE

Marcus Krause marcus.krause at tu-clausthal.de
Fri Jan 18 13:19:44 CET 2008


Steffen Kamper wrote:
> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag 
> news:mailman.1.1200655989.28496.typo3-dev at lists.netfielders.de...
>> Georg Ringer wrote:
>>> Hi Marucs,
>>>
>>> changes concering extensions can just be done by an admin and an admin 
>>> should know what he does!
>> If someone highjacked an admin accound via XSS, admin is someone else not 
>> the person that you intended to be admin!
>>
>>
>>> And I guess no hack works via the backend but directly to the database 
>>> with
>>> an UPDATE/INSERT/DELETE query.
>> Think about a person described above fires a "TRUNCATE TABLE pages" with 
>> phpmyadmin!
>>
>>
> 
> 
> why not using .htaccess for phpmyadmin?

If you ship phpmyadmin with a set .htaccess file, everybody - also attackers  - 
would know the password. This would also require that .htaccess-files are 
allowed to set by webserver configuration.
If you ship phpmyadmin with a deactived ready to use .htaccess-file this 
requires the admin to activate it first to profit from improved security. 
Therefore this type of installation would be as secure as current one.




More information about the TYPO3-dev mailing list