[TYPO3-ect] Securing typo3conf

Tonix (Antonio Nati) tonix at interazioni.it
Tue Aug 26 11:54:49 CEST 2008 

Hi Søren,

generally speaking, I feel none should be able to even guess what I have 
loaded inside my typo3, and if I'm using or not standard constants or 
setup files.
A well planned query could understand all extensions I have, and try to 
use a security hole of the extension (eventually).

Tonino

Søren Andersen ha scritto:
> Hi Torino
>
> Which setup and constants files are you worried about being publicly
> accessed?
> As I see it, only extensions come with their default setup and constans TS
> code, that can be publicly accessed. Since these files are readable in the
> TER, there should be no security problem there.
> The only way I could imagine this being a problem, would be if you created
> your own extension, and started putting passwords in the default TS
> configuration of the extension, and that would be very bad!
>
> - Søren Andersen
>
> -----Oprindelig meddelelse-----
> Fra: typo3-team-extension-coordination-bounces at lists.netfielders.de
> [mailto:typo3-team-extension-coordination-bounces at lists.netfielders.de] På
> vegne af Tonix (Antonio Nati)
> Sendt: 26. august 2008 11:31
> Til: typo3-team-extension-coordination at lists.netfielders.de
> Emne: [TYPO3-ect] Securing typo3conf
>
>
> I've the feeling /typo3conf should be totally forbidden for any web 
> access, because it contains too much files (i.e. constants, setup)  
> which should not be accessed directly from web.
>
> So I deny access to /typo3conf in my website configuration, and all 
> works, except for some routines which must be explicited enabled.
> Up to now (for what I'm using now), paths I must enable are:
>
>     * /typo3conf/ext/sr_freecap/pi1/captcha.php
>     * /typo3conf/ext/sr_freecap/pi2/newFreeCap.js
>     * /typo3conf/ext/dam_frontend/pushfile.php
>
> But I have some questions:
>
>     * how is generally considered the security of /typo3conf path?
>     * should be introduced a zone where plugins should place
>       routines/files which should be generally accessible? Should exist
>       another place (i.e. like /typo3public/ or /typo3conf/public/)
>       where extensions should automatically place any file which is
>       accessed directly from web, denying instead any direct access to
>       /typo3conf?
>
> Thanks,
>
> Tonino
>
>   


-- 
------------------------------------------------------------
        Inter at zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni.it           
------------------------------------------------------------

More information about the TYPO3-team-extension-coordination mailing list