[TYPO3] Address-hounters, this is interesting for you: feevcal.. (and all the others: better fix this..)
zabined
deeken at oligoform.de
Wed Jul 12 17:49:28 CEST 2006
hi List,
I'm just trying out the very nice little calendar feevcal. small and
nice, at first I was so happy, after I fixed some translation-bugs and
improved html-output I was more happy.
but today i found something rather not so nice:
If you have feevcal in your page and put in the url by hand like
http://yoursite.com/index.php?id=where-you-placed-the-calendar&iden=0&view=6%20&no_cache=1
(important: view=6)
you can get all frontend-users by their ids by the variable iden. user
after user. the hole typo3-installation. if no extra template is
configured in the typoscript-Template of your site, everybody who can
see the calendar can have all Data of the page-fe-users: Name, Email,
Adress, Telephone, Fax...
is this safe?? (ok, in won't crush your server and things like that, but..)
on the other side this little thing should not make you uninstall a very
useful nice extension
so if you are using feevcal in a non-restricted section of your page,
better use your own calendar-template:
copy agenda.tpl and take out all (sensible) data of the
###TEMPLATE_USER### section
in your typoscript-template:
plugin.tx_feevcal_pi1.templateFile =
fileadmin/where-you-put-your-templates/agenda.tpl
Best regards
Sabine Deeken
More information about the TYPO3-english
mailing list