[TYPO3-core] RFC #14719: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is used
Helmut Hummel
helmut at typo3.org
Sun Jun 20 19:12:42 CEST 2010
Hi Steffen,
On 20.06.10 16:51, Steffen Ritter wrote:
> Am 20.06.2010 16:24, schrieb bernd wilke:
>> intruder may enter data for his own external database:
>> '12.34.56.78'/'hacker'/'pwd'
>>
>> => he get access to install-tool and can do anything.
>>
> well, "typo3 default passwords are known", too...
> at all: who has an uploaded only typo3 dummy+source at his host for long
> enough to get attacked
I already elaborated on this, it's more or less theoretical.
Nevertheless, currently an unpacked TYPO3+dummy is secured by default.
> question, two: why is typo3 allowed to access external mysql servers?
Of course you could argue it's an unsecure server setup if it is allowed
to do arbitrary outgoing connections. However I fear not many hosters
will do this extra setup work (but I guess they will set a secure mysql
root password).
> i think, at least a little bit of thinking must be asked for from TYPO3
> users ;)
Currently the user must start thinking when he wants to proceed with the
installation. With the change applied, the thinking must start after
unpacking (if FIRST_INSTALL is in dummy package) ;)
Well ...
Regards Helmut (still not understanding why creating a file should be a
problem for installing TYPO3)
More information about the TYPO3-team-core
mailing list