[TYPO3-ect] How can be security threat defined?

[Daniel Bruessler]

Hello Braulio José,

>> great that spanish people have such long names: I just have two :-)
> Costarican actually.  Well, french people have 4 first names.  If I wrote
> my name like they do in the USA I should write Braulio J. Solano-Rojas. 
> José is my middle name (or second name) and Rojas my mother lastname.

ah it's the family-thinking. In germany we just get the last-name of the 
faster - and just little families.

>> If you like you can extend the wiki with an article about security. In
>> the moment these pages exist:
>> http://wiki.typo3.org/Category:Topic/security
> 
> I looked at it.  There is almost nothing written...  I'll try to find time
> to write something.

Kasper writes much about security in doc_core_inside. I yesterday linked 
directly in
http://wiki.typo3.org/XDG#Security

>> You should talk to the people from the security-team, because they're
>> testing the security of extensions:
>> http://typo3.org/teams/security/
> 
> Yeap, but I wrote to this list because, I think extension creators should
> ask for a security API in TYPO3 and ask for security policies.

Yes, the idea is good - but the security team doesn't read this 
newsgroup. I think it's best to build a team with Axel Jung. See
http://typo3.org/extensions/repository/view/security_check/current/

> I liked very much the div/lib work.  In fact, I find that the validator
> object of div/lib is in fact a very good protector against Cross Site
> Scripting and SQL Injections.

Yes. div/lib is very well-thought. You could write a feature for the 
GET/POST-handling, because the most problems are with search-textboxes 
and similar parameters. Beginner-developers don't know that they have to 
care about that before the put it into the db. But: if it's not easy to 
use the majority doesn't like to use it.

> (...) before inserting in databases and after reading from databases.
It's existing but many developers don't know it.
$GLOBALS['TYPO3_DB']->cleanIntList($list);
$GLOBALS['TYPO3_DB']->cleanIntArray($arr);
$GLOBALS['TYPO3_DB']->quoteStr($str,$table);

>> * ldap_auth
>> * SSO
>> * rlmp_extdbauth
>> * bzb_ldapsso
>> * sf_imap_login
>> * wk_sslauth
>> So you see you have thousand possibilities to not have the password
>> stored in the db.
> Well, actually the problem was not that the password was stored in the
> database, but that the MD5 hash stored in the database was displayed in
> the front-end.  I believe passwords from the database should never been
> displayed in the front-end.

You mean in the HTML-code of the login-form, don't you? What should be 
changed in the standard-loginform?

Cheers!
Daniel