[TYPO3-core] RFC: cObj->getGlobal bug fix
Ingmar Schlecht
ingmar at typo3.org
Sun Nov 27 03:37:21 CET 2005
Bernhard Kraft wrote:
> I tested on php4 and it works perfect.
>
> But I and Michael discussed it a little bit and tought it would open a security leak. A non
> system/db admin ... but TYPO3 admin could enter malicious TS Setup to display the installToolPassword
> hash or the encryptionKey or the actually logged in BE/FE-User password in the FE.
Doesn't seem like a real security issue to me because because admins can
install extensions (i.e. PHP code) anyway and could also include scripts
using .inc PHP resources included by TS.
So: Please remove the "restrictPaths" array for making it possible to
display things like $TYPO3_CONF_VARS['SYS']['sitename'].
cheers,
Ingmar
More information about the TYPO3-team-core
mailing list