[TYPO3-dev] config.baseURL, lt_basetag and security
Ries van Twisk
typo3 at rvt.dds.nl
Wed Sep 23 16:51:36 CEST 2009
Marc,
good catch...
Looking at the extension's code here : http://typo3.org/extensions/repository/view/lt_basetag/current/info/lt_basetag_changeBase.php/
Here is the security bulletin : http://typo3.org/teams/security/security-bulletins/typo3-20051114-6/
I am not sure how the spoofing actually works, but from the looks of
it this extension
could introduce the exact same problem.
Ries
On Sep 23, 2009, at 9:30 AM, Marc Wöhlken wrote:
> Hello!
> In earlier TYPO3 versions (< 4.0?) it was possible to use
> config.baseURL
> = 1 to let TYPO3 determine the correct current base url.
>
> AFAIK this feature had been disabled for security reasons (XSS?).
>
> Yesterday I stumbled over an extension called lt_basetag which does
> exactly what the above mentioned option did.
>
> Is this of concern when thinking in terms of security? Could someone
> possibly explain why the "old" approach was not safe?
>
> Greetings
> Marc
> --
> ...........................................................
> Marc Wöhlken TYPO3 certified intregator
>
> Quadracom - Proffe & Wöhlken
>
> Rembertistraße 32 WWW: http://www.quadracom.de
> D-28203 Bremen E-Mail: woehlken at quadracom.de
> ______________ PGP-Key: http://pgp.quadracom.de
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
regards, Ries van Twisk
-------------------------------------------------------------------------------------------------
tags: Freelance TYPO3 Glassfish JasperReports JasperETL Flex Blaze-DS
WebORB PostgreSQL DB-Architect
email: ries at vantwisk.nl web: http://www.rvantwisk.nl/
skype: callto://r.vantwisk
Phone: +1-810-476-4196 Cell: +593 9901 7694 SIP:
+1-747-690-5133
More information about the TYPO3-dev
mailing list