[TYPO3-dev] Install Tool: Deletion suggested!?

Helmut Hummel helmut at typo3.org
Thu May 20 22:42:57 CEST 2010


On 20.05.10 09:46, Steffen Gebert wrote:
> Am 20.05.2010, 08:53 Uhr, schrieb Sebastian Gebhard
> <sebastiangebhard at hoch2.de>:
> 
>> I can not agree fully. The sites did not have a htaccess file and
>> ENABLE_INSTALL_TOOL was activated. If these things had been considered
>> by the admins, the hacks would not have happened.

I know.

>> I think the recommendations about htaccess file and
>> ENABLE_INSTALL_TOOL help to build a pretty sure system.
> 
> FULLACK

.htaccess is pretty secure. I don't argue that it isn't enough for most
needs.

But you can't say that deleting it isn't more secure. You can't exploit
anything that is not there.

If you only think about how you can exploit a locked down and .htaccess
secured intall tool, you will feel pretty safe. And in fact it is, if
there aren't any other attac vectors that circumvent this protection
somehow. And in many cases not only one vulerabilty is used to hack a
system. Probably one would be enough, but could make it easier. That's
why I came up with the example of the famously hacked TYPO3 sites. The
jumpURL issue was bad enough but with the ulocked install tool it was
soooo easy to hack these sites.

Believe me or not, there are cases where you want to delete the install
tool, just to be sure.

But what I really don't understand is, why this one line of text should
harm anything in any way. It's simply sugestion. You don't have to
follow it if you don't want to (and I don't want to convice you), but
probably someone else would.

Regards Helmut




More information about the TYPO3-dev mailing list