[Typo3] encryptionKey value comprimised! - security issue
Ingo Renner
typo3 at ingo-renner.com
Wed Jul 6 20:04:43 CEST 2005
Am Wed, 6 Jul 2005 19:53:29 +0200 (CEST) schrieb Darryl Krause:
> Hi Ingo
>
> Thansk fro your input...
>> If you want to fix it in your installation you simply have to unset
>> 'encryptionKey' in the cHash array in class.indexer.php in
>> EXT:indexed_search.
>
> I have looked into class.indexer.php and did not find any reference to 'encryptionKey'.
Of course you don't because it is included somehow automaticly.
Search for function init()
In the very beginning of this method there's a line:
if ($this->conf['cHash']) $this->cHashParams['cHash'] =
$this->conf['cHash']; // Add this so that URL's come out right...
below that line insert the following line:
unset($this->cHashParams['encryptionKey']); // encryptionKey is added
inside TSFE in order to calculate the cHash value and it should NOT be a
part of this array!!! If it is it will be exposed in links!!!
HTH
Ingo
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-english
mailing list