[TYPO3-ect] How can be security threat defined?
Braulio José Solano Rojas
braulio at solsoft.co.cr
Wed Apr 2 19:50:41 CEST 2008
Hi!
On Tue, 1 de Abril de 2008, 4:06 pm, Daniel Bruessler wrote:
> Hello Braulio José Solano Rojas,
>
> great that spanish people have such long names: I just have two :-)
Costarican actually. Well, french people have 4 first names. If I wrote
my name like they do in the USA I should write Braulio J. Solano-Rojas.
José is my middle name (or second name) and Rojas my mother lastname.
> If you like you can extend the wiki with an article about security. In
> the moment these pages exist:
> http://wiki.typo3.org/Category:Topic/security
I looked at it. There is almost nothing written... I'll try to find time
to write something.
> You should talk to the people from the security-team, because they're
> testing the security of extensions:
> http://typo3.org/teams/security/
Yeap, but I wrote to this list because, I think extension creators should
ask for a security API in TYPO3 and ask for security policies.
I liked very much the div/lib work. In fact, I find that the validator
object of div/lib is in fact a very good protector against Cross Site
Scripting and SQL Injections.
I have looked at a lot of CMS. There are always things I don't like and
things I liked. It can also be a subjective point of view. Something I
liked very much from Postnuke was the security API they had. All the
forms were authenticated for protection against Cross Site Request
Forgeries. There were API functions to handle GET and POST vars which
filtred against Cross Site Scripting and there were functions to check
variables before inserting in databases and after reading from databases.
It is interesting that it was a CMS from 1999. The API was very clean,
however I did not like very much its concept.
> I just read the md5-password what you wrote about, so you can use
> another auth-method:
> * ldap_auth
> * SSO
> * rlmp_extdbauth
> * bzb_ldapsso
> * sf_imap_login
> * wk_sslauth
>
> So you see you have thousand possibilities to not have the password
> stored in the db.
Well, actually the problem was not that the password was stored in the
database, but that the MD5 hash stored in the database was displayed in
the front-end. I believe passwords from the database should never been
displayed in the front-end.
Saludos amicales,
B.
>> Hi.
>>
>> I would like to know how what is considered insecure from an extension
>> development point of view. Are there any security good practices
>> manuals
>> for TYPO3? IMHO I found the TYPO3 Coding Guidelines manual somehow
>> light
>> in terms of security, it does not establishes true security policies.
>>
>> I also would like to have your opinion on:
>> http://bugs.typo3.org/view.php?id=7932.
>>
>> Just trying to organize better my ideas.
>>
>> Best regards,
>>
>> B.
> _______________________________________________
> TYPO3-team-extension-coordination mailing list
> TYPO3-team-extension-coordination at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-extension-coordination
>
More information about the TYPO3-team-extension-coordination
mailing list