[TYPO3-v4] Automatically enabled install tool
Helmut Hummel
helmut.hummel at typo3.org
Wed Aug 3 01:00:15 CEST 2011
Hi Steffen,
thanks for your comments.
On 03.08.11 00:27, Steffen Kamper wrote:
> But the install tool is password protected, so this is not a lost of
> security. Sure as admin you have enough ways to reset the password and
> access anyways.
In a perfect world that protection helps. But the whole authentication
is _VERY_ basic compared to the TYPO3 backend. The password protection
of the install tool is way to week compared to the possibilities it
provides.
Let me give you a different examples to explain the importance of
multiple protection layers:
Why not store passwords in the database in clear text? In a perfect
world, no unauthorized user can read database values, thus not the
passwords.
Why does my operating system does not allow me to install programms
without prompting for a password?
Because defense in depth[1] is a proven security principle.
Kind regards,
Helmut
[1]https://www.owasp.org/index.php/Defense_in_depth
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list