[TYPO3-dev] Thoughts about security in BE

[Steffen Kamper]

"Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag 
news:mailman.1.1200659590.31464.typo3-dev at lists.netfielders.de...
> Steffen Kamper wrote:
>> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag 
>> news:mailman.1.1200658866.5872.typo3-dev at lists.netfielders.de...
>>> Steffen Kamper wrote:
>>>> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag 
>>>> news:mailman.1.1200655989.28496.typo3-dev at lists.netfielders.de...
>>>>> Georg Ringer wrote:
>>>>>> Hi Marucs,
>>>>>>
>>>>>> changes concering extensions can just be done by an admin and an 
>>>>>> admin should know what he does!
>>>>> If someone highjacked an admin accound via XSS, admin is someone else 
>>>>> not the person that you intended to be admin!
>>>>>
>>>>>
>>>>>> And I guess no hack works via the backend but directly to the 
>>>>>> database with
>>>>>> an UPDATE/INSERT/DELETE query.
>>>>> Think about a person described above fires a "TRUNCATE TABLE pages" 
>>>>> with phpmyadmin!
>>>>>
>>>>>
>>>>
>>>> why not using .htaccess for phpmyadmin?
>>> If you ship phpmyadmin with a set .htaccess file, everybody - also 
>>> attackers  - would know the password. This would also require that 
>>> .htaccess-files are allowed to set by webserver configuration.
>>> If you ship phpmyadmin with a deactived ready to use .htaccess-file this 
>>> requires the admin to activate it first to profit from improved 
>>> security. Therefore this type of installation would be as secure as 
>>> current one.
>>
>> There are other possibilities. Checking for existing .htaccess. If's 
>> missing, only show a screen with Error: Missing .htaccess
>> Any admin can create own htaccess.
>
> You got me. ;-)
> That's also a possibility. But this would also require that webserver 
> configuration allows to use htaccess-files at all!

without there is no phpadmin ;-)
without there is no realurl or others like that. It's imho a recommendation 
for TYPO3.

vg  Steffen