[TYPO3-dev] Thoughts about security in BE
Malte Jansen
mail at maltejansen.de
Fri Jan 18 15:46:28 CET 2008
Marcus Krause schrieb:
> Hi Devs!
>
>
> As XSS is a major problem mainly for third party extensions and affects
> not only them but also TYPO3 itself (BE etc.) and you simply cannot
> review them all, I would suggest securing security related functions in BE.
> In my opinion this would include following:
>
> - Password changes to user accounts requires old/current password
> - before using extension phpmyadmin you should explicitely requested to
> insert current password
> - before installing extensions with ext-manager you should explicitely
> requested to insert current password
>
>
> What do you think? Any more points to be added to above list?
Hi!
There would not be that problem, if you can access the BE only via https
and don't use simulatebe. But this is an admin thing, how strict you
define your security guidelines.
I think there is an optionen for IP logging. So if the IP changes, you
have to login (Change me if I'm wrong).
By the way in good running system you don't need phpmyadmin. Normally
you need it only during development.
If you create a new page and you always have to enter the password for
installing an extension, ... This is not a good solution.
Cheers,
Malte
More information about the TYPO3-dev
mailing list