[TYPO3-core] Feature request: Remove password from content of notification emails

Andreas Otto andreas.otto at dkd.de
Tue May 15 11:53:52 CEST 2007


the following email was posted to the Security Team last week.

On Friday 11 May 2007 12:10, Heinz Werner Kramski wrote:
> our Typo3 4.1.1 warns us about failed Install Tool Login ATTEMPTs in
> the following manner:
> There has been a Install Tool login attempt at TYPO3 site 'Deutsches
> Literaturarchiv' (cww-prod.dla-marbach.de).
> Password tried was 'forgetful-admin-test'
> REMOTE_ADDR was '' ()
> We don't see any use in quoting the invalid password here verbatim. In
> contrast, forgetful admins like us may try their BE password for
> install tool login, which is then transferred through insecure e-mail.
> While this might not be the worlds biggest security problem, we would
> like to see another default behaviour or an appropriate configuration
> switch. (If there already is one, we and our T3 agency were unable to
> find it; TIA for any pointers).

In the Security Team we have decided that this is not a security problem but
a feature request which should be forwarded to the Core Team.

Now it is up to us to change the default behaviour or leave things as they
are now.

Any opinions?


More information about the TYPO3-team-core mailing list