[TYPO3-core] RFC #14191: Install tool lacks hint of how to create ENABLE_INSTALL_TOOL
Steffen Gebert
steffen at steffen-gebert.de
Tue May 11 09:32:17 CEST 2010
Am 11.05.2010, 08:44 Uhr, schrieb Sebastian Gebhard
<sebastiangebhard at hoch2.de>:
> Am 08.05.10 17:52, schrieb Steffen Gebert:
>> Solution:
>> Give the user this hint and a direct link to the module, when he's
>> logged in as BE admin user.
> Why do you want to offer a link to the link? Can't we check for admin
> privileges here and offer a direct link to create the file?
We could, but it would require more effort to write the patch and to
review it (just to be sure, we're creating no security hole). IMHO the
link would be at least an improvement, compared to the current situation.
> BTW: After all, I think the ENABLE_INSTALL_TOOL thing is pretty
> outdated. When someone has admin access to a TYPO3 Backend, he's got
> also access to the install tool. Creating the file takes attackers (and
> regular users of course!) some additional seconds to access the install
> tool. Useless legacy in my eyes.
For the standalone version, we still need it - except we only rely on the
password. But for sure, as soon as an attacker has BE admin access, he can
create the file and modify localconf...
So *if* you can detect a valid backend session reliably, this would be a
better improvement, of course!
Steffen
More information about the TYPO3-team-core
mailing list