[TYPO3-core] RFC #13754: Secure Install Tool Login
Marcus Krause
marcus#exp2010 at t3sec.info
Sat Mar 6 21:53:29 CET 2010
Steffen Ritter schrieb am 03/06/2010 12:18 PM Uhr:
> Bernhard Kraft schrieb:
>> This is a SVN patch request.
>> [...]
>> Problem:
>> As we have an rsaauth library now and a service for salted passwords
>> it would make sense to:
>> [...]
> -1 because install tool should not depend on any extensions
> -1 because rsaauth is not supportet
> -1 because if you are experimenting with those extension you probably
> need the install tool es fallback to deactivate it and recreate a new
> adminuser
I fully agree. Don't bring too much complexity into the install tool.
You, as a developer, might use it on a daily basis (on a development
system). An ordinary TYPO3 admin might use it once in two months. IMHO,
it's not worth to blow up its code then.
We might consider storing the install tool password as sha1 hash in
localconf. But that's all I would do in regards to security improvements.
Marcus.
--
Member TYPO3 Security Team
Blog on TYPO3 Security: http://secure.t3sec.info/blog/
More information about the TYPO3-team-core
mailing list