[TYPO3-core] RFC: cObj->getGlobal bug fix

Michael Stucki michael at typo3.org
Mon Nov 28 20:14:42 CET 2005

Ingmar Schlecht wrote:

>> But I and Michael discussed it a little bit and tought it would open a
>> security leak. A non system/db admin ... but TYPO3 admin could enter
>> malicious TS Setup to display the installToolPassword hash or the
>> encryptionKey or the actually logged in BE/FE-User password in the FE.
> Doesn't seem like a real security issue to me because because admins can
> install extensions (i.e. PHP code) anyway and could also include scripts
> using .inc PHP resources included by TS.

You are right and I was wrong. I was pretty sure that even regular users
could gain access to the template module and sys_template. But since they

> So: Please remove the "restrictPaths" array for making it possible to
> display things like $TYPO3_CONF_VARS['SYS']['sitename'].

I agree with you!

- michael
Use a newsreader! Check out

More information about the TYPO3-team-core mailing list