[TYPO3-dev] Install tool access control bypass with loopback devices
Marcus Krause
marcus#exp2009 at t3sec.info
Mon Jul 20 11:42:11 CEST 2009
Hi!
As IPv6 loopback is about to be added to the install tool access control
bypass, I'd like to take it as chance to discuss this behavior.
When using reverse proxies on localhost, this allows to circumvent the
ENABLE_INSTALL_TOOL file procedure.
There's no e.g. no warning/note/whatever that informs about not taking
ENABLE_INSTALL_TOOL into account. An example setup would be a hosting
company that is running such proxies on shared hosting servers.
In such setups the client has to modify TYPO3 Core code to have proper
protection in place. That's not nice at all: necessary modifications to
be again at default security/protection level.
What I suggest:
Either completely remove this loopback access control bypass code or
take configured reverse proxies into account!
Comments!?
Marcus.
--
TYPO3 Security blog: http://secure.t3sec.info/
More information about the TYPO3-dev
mailing list