[TYPO3-dev] Thoughts about security in BE
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Mon Jan 21 12:22:14 CET 2008
Steffen Kamper schrieb:
> "Marcus Krause" <marcus.krause at tu-clausthal.de> schrieb im Newsbeitrag
> news:mailman.1.1200657650.23809.typo3-dev at lists.netfielders.de...
>> Martin Kutschker wrote:
>>> Marcus Krause schrieb:
>>>> - Password changes to user accounts requires old/current password
>>> Possible (Core change).
>> And is often used for applications in IT world.
>>
>>
>
> any admin with DB-Access can simply change PW-string in DB, so it doesn't
> have wanted effect.
That's why he wants to restrict access to phpMyadmin. Now you need also a
script to do it (which may be a bit harder if you enforce some more
filesystem write/execute restrictions)
>
> any Admin with FTP (or using tools like quixplorer) can manipulate
> localconf.php without using EM.
FTP is not TYPO3. So a hijacked account doesn't mean write access. And of
course any super tool like Quixplorer and not only phpMyAdmin has to be
protected by an extra password.
Masi
More information about the TYPO3-dev
mailing list