[TYPO3-dev] Install Tool: Deletion suggested!?

Helmut Hummel helmut at typo3.org
Mon May 17 09:30:33 CEST 2010


Hi,

On 13.05.10 10:47, Steffen Gebert wrote:
> 
> Also I wouldn't call it "is a great danger" - the danger is not bigger
> than an admin account.

Do not underestimate the danger of an activated install tool. It was the
entry door for hacking www.schalke04.de and www.wolfgang-schaeuble.de

Of course an additional vulnerability was exploited, but without
activated install tool it would have by been by far more complicated for
the hackers.

If you want to be secure, lock it down. If you want to be more secure,
delete it. If security really matters, deactivate backend login in the
system exposed in the internet.

O course this is not necessary for most of the needs but the suggestion
to delete the install tool is still a valid approach.

It's not so easy to enter a room, if the door is locked, but it's more
complicated if the door is bricked. Of course most of the time we have
doors to our homes because the need to carry a ladder instead of a key
is not so practical.

Regards Helmut




More information about the TYPO3-dev mailing list