[TYPO3-core] RFC: #15812: Add backend maintenance for login news
Jigal van Hemert
jigal at xs4all.nl
Mon Sep 27 22:06:17 CEST 2010
Hi,
On 27-9-2010 20:14, Steffen Kamper wrote:
> Ernesto Baschny [cron IT] schrieb:
>> First reaction was like Steffen: "Why? An admin can do everything
>> anyway". But overall, most issues arise from the fact that the admin can
>> edit all content and he can *install extensions*. As soon as you disable
>> EM (which is now possible, as EM is a sysext), your admin cannot do
>> "everything".
> yes, i also had this in mind later. So i'm ok with removeXss.
I was thinking about a certain security bulletin [1] and all the
problems which resulted from that (new bugs, etc.)
I wouldn't expect any BE user to deliberately leave malicious stuff
behind or let his login credentials be used by others, but our security
team likes to fix these issues too. To save them the trouble, etcetera
it would be easier to fix problems before they arise :-)
[1] http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-012/
--
Kind regards / met vriendelijke groet,
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-team-core
mailing list