[TYPO3-dev] Thoughts about security in BE
Marcus Krause
marcus.krause at tu-clausthal.de
Fri Jan 18 13:27:00 CET 2008
Steffen Kamper wrote:
> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
> news:mailman.1.1200657650.23809.typo3-dev at lists.netfielders.de...
>> Martin Kutschker wrote:
>>> Marcus Krause schrieb:
>>>> - Password changes to user accounts requires old/current password
>>> Possible (Core change).
>> And is often used for applications in IT world.
>>
>
> any admin with DB-Access can simply change PW-string in DB, so it doesn't
> have wanted effect.
That's why I wrote "Thoughts about security in BE". Where does a typical admin
in BE has to possibility to access the DB directely - by using phpmyadmin.
Therefore you have to secure that extension too.
A admin certainly has the possibility to change the password for any user. But
an attacker who has highjacked admin accound is no more interested in user accounts!
>
>>>> - before using extension phpmyadmin you should explicitely requested to
>>>> insert current password
>>> I'd use a specific password for the tool, not the user's password (or
>>> perhaps both). Anyway this is a change of the ext which is not mainted by
>>> the Core team as isn't a sysext any more.
>> Any password would be okay (perhaps install tool?). I know, this is a
>> third party extension, but I was interested in what you think about that
>> before filling a feature request.
>>
>>
>>>> - before installing extensions with ext-manager you should explicitely
>>>> requested to insert current password
>>> Possible (Core change).
>>>
>
> any Admin with FTP (or using tools like quixplorer) can manipulate
> localconf.php without using EM.
My point are security risks by XSS. You cannot retrieve FTP credentials by XSS.
Anyway, ftp is unsecure. Use a secure method (SFTP,...) to access your
TYPO3-installation.
More information about the TYPO3-dev
mailing list