[TYPO3-core] RFC: cObj->getGlobal bug fix
Michael Stucki
michael at typo3.org
Mon Nov 28 20:14:42 CET 2005
Ingmar Schlecht wrote:
>> But I and Michael discussed it a little bit and tought it would open a
>> security leak. A non system/db admin ... but TYPO3 admin could enter
>> malicious TS Setup to display the installToolPassword hash or the
>> encryptionKey or the actually logged in BE/FE-User password in the FE.
>
> Doesn't seem like a real security issue to me because because admins can
> install extensions (i.e. PHP code) anyway and could also include scripts
> using .inc PHP resources included by TS.
You are right and I was wrong. I was pretty sure that even regular users
could gain access to the template module and sys_template. But since they
cannot...
> So: Please remove the "restrictPaths" array for making it possible to
> display things like $TYPO3_CONF_VARS['SYS']['sitename'].
I agree with you!
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list