[TYPO3-dev] Install Tool: Deletion suggested!?
Sebastian Gebhard
sebastiangebhard at hoch2.de
Thu May 20 08:53:21 CEST 2010
Am 17.05.10 09:30, schrieb Helmut Hummel:
> Do not underestimate the danger of an activated install tool. It was the
> entry door for hacking www.schalke04.de and www.wolfgang-schaeuble.de
>
> Of course an additional vulnerability was exploited, but without
> activated install tool it would have by been by far more complicated for
> the hackers.
I can not agree fully. The sites did not have a htaccess file and
ENABLE_INSTALL_TOOL was activated. If these things had been considered
by the admins, the hacks would not have happened.
I think the recommendations about htaccess file and ENABLE_INSTALL_TOOL
help to build a pretty sure system.
I go one step further and dare to say deleting the install tool might be
a security issue. Because then it needs more effort to update a site and
in fact less sites will be updated and therefore eventually run
vulnerable software.
More information about the TYPO3-dev
mailing list