[TYPO3-dev] Thoughts about security in BE

Steffen Kamper steffen at sk-typo3.de
Fri Jan 18 19:54:54 CET 2008


"Ernesto Baschny [cron IT]" <ernst at cron-it.de> schrieb im Newsbeitrag 
news:mailman.1.1200671553.1710.typo3-dev at lists.netfielders.de...
> Steffen Kamper wrote: on 18.01.2008 13:38:
>
>>>>>> why not using .htaccess for phpmyadmin?
>>>>> If you ship phpmyadmin with a set .htaccess file, everybody - also 
>>>>> attackers  - would know the password. This would also require that 
>>>>> .htaccess-files are allowed to set by webserver configuration.
>>>>> If you ship phpmyadmin with a deactived ready to use .htaccess-file 
>>>>> this requires the admin to activate it first to profit from improved 
>>>>> security. Therefore this type of installation would be as secure as 
>>>>> current one.
>>>> There are other possibilities. Checking for existing .htaccess. If's 
>>>> missing, only show a screen with Error: Missing .htaccess
>>>> Any admin can create own htaccess.
>>> You got me. ;-)
>>> That's also a possibility. But this would also require that webserver 
>>> configuration allows to use htaccess-files at all!
>>
>> without there is no phpadmin ;-)
>> without there is no realurl or others like that. It's imho a 
>> recommendation for TYPO3.
>
> There is not only apache out there, I hear... :) IIS doesn't have 
> .htaccess files. Other Webservers are also different. So this cannot be 
> the "real" solution.
>
> Cheers,
> Ernesto

II what? :)

How does $M deal with realurl, is there a solution?
Is there a solution for directory access? May be it could also considered in 
script
if(IIS && anyDirectoryAccessMethosExists) ...

i have no expierience with IIS.

vg  Steffen 






More information about the TYPO3-dev mailing list