[TYPO3-dev] Thoughts about security in BE
Marcus Krause
marcus.krause at tu-clausthal.de
Fri Jan 18 13:31:47 CET 2008
Steffen Kamper wrote:
> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
> news:mailman.1.1200658866.5872.typo3-dev at lists.netfielders.de...
>> Steffen Kamper wrote:
>>> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
>>> news:mailman.1.1200655989.28496.typo3-dev at lists.netfielders.de...
>>>> Georg Ringer wrote:
>>>>> Hi Marucs,
>>>>>
>>>>> changes concering extensions can just be done by an admin and an admin
>>>>> should know what he does!
>>>> If someone highjacked an admin accound via XSS, admin is someone else
>>>> not the person that you intended to be admin!
>>>>
>>>>
>>>>> And I guess no hack works via the backend but directly to the database
>>>>> with
>>>>> an UPDATE/INSERT/DELETE query.
>>>> Think about a person described above fires a "TRUNCATE TABLE pages" with
>>>> phpmyadmin!
>>>>
>>>>
>>>
>>> why not using .htaccess for phpmyadmin?
>> If you ship phpmyadmin with a set .htaccess file, everybody - also
>> attackers - would know the password. This would also require that
>> .htaccess-files are allowed to set by webserver configuration.
>> If you ship phpmyadmin with a deactived ready to use .htaccess-file this
>> requires the admin to activate it first to profit from improved security.
>> Therefore this type of installation would be as secure as current one.
>
> There are other possibilities. Checking for existing .htaccess. If's
> missing, only show a screen with Error: Missing .htaccess
> Any admin can create own htaccess.
You got me. ;-)
That's also a possibility. But this would also require that webserver
configuration allows to use htaccess-files at all!
More information about the TYPO3-dev
mailing list