[TYPO3-core] Feature request: Remove password from content of notification emails
Andreas Otto
andreas.otto at dkd.de
Tue May 15 11:53:52 CEST 2007
Hello,
the following email was posted to the Security Team last week.
On Friday 11 May 2007 12:10, Heinz Werner Kramski wrote:
> our Typo3 4.1.1 warns us about failed Install Tool Login ATTEMPTs in
> the following manner:
>
> There has been a Install Tool login attempt at TYPO3 site 'Deutsches
> Literaturarchiv' (cww-prod.dla-marbach.de).
> Password tried was 'forgetful-admin-test'
> REMOTE_ADDR was '172.31.23.2' ()
>
> We don't see any use in quoting the invalid password here verbatim. In
> contrast, forgetful admins like us may try their BE password for
> install tool login, which is then transferred through insecure e-mail.
>
> While this might not be the worlds biggest security problem, we would
> like to see another default behaviour or an appropriate configuration
> switch. (If there already is one, we and our T3 agency were unable to
> find it; TIA for any pointers).
In the Security Team we have decided that this is not a security problem but
a feature request which should be forwarded to the Core Team.
Now it is up to us to change the default behaviour or leave things as they
are now.
Any opinions?
Cheers,
Andreas
More information about the TYPO3-team-core
mailing list