[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
Marcus Krause
marcus#exp2009 at t3sec.info
Mon Jun 22 08:36:35 CEST 2009
Steffen Kamper schrieb am 06/22/2009 12:03 AM Uhr:
> Hi,
>
> Bastian Waidelich schrieb:
>> Just an idea: would it be really hard to enable the install tool if
>> the file exists _or_ an admin user is logged in?
>>
>
> hell of good idea! :)
Please don't do this. This would mean, whenever an admin session is
active you could potentially attack the install tool.
My favourite is the button approach. Not every admin session needs the
install tool. Only when really needed, the admin is able to create the
file with a single click. The admin decides when to make his system
"vulnerable" (aka enabling install tool). In your case the system will
do that every time.
Anyway, button or not is not about to vote in this RFC.
Marcus.
--
TYPO3 Security blog: http://secure.t3sec.info/
More information about the TYPO3-team-core
mailing list