[TYPO3-core] RFC #14719: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is used

[Steffen Ritter]

Am 20.06.2010 16:24, schrieb bernd wilke:
> Am Sun, 20 Jun 2010 12:03:31 +0200 schrieb Susanne Moog:
>
>> On 14.06.2010 19:06, Jeff Segars wrote:
>>> Hey guys,
>>> This is a SVN patch request.
>>>
>>> Type: (mini) Feature, Usability
>>>
>>> Bugtracker Reference: http://bugs.typo3.org/view.php?id=14719
>>>
>>> Branches: Trunk
>>>
>>> Problem:
>>> When a new user first installs TYPO3, they must create the
>>> ENABLE_INSTALL_TOOL file before installation can continue. For a
>>> friendlier first install, it would be nice to automatically create the
>>> file and go directly to the 1-2-3 Install Tool
>>
>> Find attached a version of this patch, that implements Helmuts proposal
>> as follows:
>>
>> * Jeffs v2 is the base of the patch, so if FIRST_INSTALL is present it
>> gets deleted and the ENABLE_INSTALL_TOOL file is created. * If you
>> haven't set your database credentials or if it is not possible to
>> connect with the given credentials you will be redirected to the db step
>> of the install tool in 1-2-3 mode, so you have no access to advanced
>> mode as long as your database is not set up.
>>
>> So this is the combination of Jeffs and Steffens solution.
>
>
> question for security-team:
> what are the needs to restrict the following situation:
>
> Source and dummy installed, but no further action (no database
> configured, not entered install-tool)
>
> access from 'outside':
> intruder may guess (correctly):
> 	'localhost'/'root'/''
> intruder may enter data for his own external database:
> 	'12.34.56.78'/'hacker'/'pwd'
>
> =>  he get access to install-tool and can do anything.
>
>
> bernd
well, "typo3 default passwords are known", too...
at all: who has an uploaded only typo3 dummy+source at his host for long 
enough to get attacked

question, two: why is typo3 allowed to access external mysql servers?

i think, at least a little bit of thinking must be asked for from TYPO3 
users ;)