[TYPO3-dev] admin -> BE -> Installtool: Drop the need for a password?
Steffen Gebert
steffen at steffen-gebert.de
Tue Feb 23 11:20:19 CET 2010
Am 23.02.2010, 11:14 Uhr, schrieb Popy <popy.dev at gmail.com>:
> 2010/2/23 Steffen Gebert <steffen at steffen-gebert.de>
>
>> More important would be to automatically create the ENABLE_INSTALL_TOOL
>> file, if a logged in admin wants to access the Install Tool.
>>
>
> -1 : This file was the only thing preventing somebody who did steal an
> admin
> account to get total access to the website. And we've already lost a bit
> of
> this "security" since the "create ENABLE_INSTALL_TOOL" button appeared.
No, it's the Install tool password, which prevents him!
OTOH it's easy to modify everything using Quixplorer or similar
extensions. So - to be honest - the security benefit of additional Install
tool security checks is quite low, if user has already admin access.
Steffen
More information about the TYPO3-dev
mailing list