[TYPO3-ect] Securing typo3conf

[Tonix (Antonio Nati)]

Martin Holtz ha scritto:
> Hi Tonix,
>
>   
>> I've the feeling /typo3conf should be totally forbidden for any web
>> access, because it contains too much files (i.e. constants, setup) 
>> which should not be accessed directly from web.
>>
>> So I deny access to /typo3conf in my website configuration, and all
>> works, except for some routines which must be explicited enabled.
>> Up to now (for what I'm using now), paths I must enable are:
>>
>>    * /typo3conf/ext/sr_freecap/pi1/captcha.php
>>    * /typo3conf/ext/sr_freecap/pi2/newFreeCap.js
>>    * /typo3conf/ext/dam_frontend/pushfile.php
>>     
> keep in mind, that some extensions have css/icons etc. which are used in
> frontend and/or backend.
>
>
>   

I see there are too much problems before I can use this kind of 
protections with actual typo3.

But I feel this is something typo3 development group should consider in 
future development.
If there is a security hole in one extension it is very easy to check if 
a site uses that extension.

So, probably something must be changed in the future, or splitting 
extension in two different zones (private and public, where public 
contains CSS, gif, ecc), or registering extensions in a different way 
(it could be enough to register each extension in a random way - i.e. 
EXT:/23fa45eg_extension_name/..., where the random key is stored inside 
localconf.php), or both solutions together.

Just my 1 cent consideration.

Regards,

Tonino

> gruss,
> martin
> _______________________________________________
> TYPO3-team-extension-coordination mailing list
> TYPO3-team-extension-coordination at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-extension-coordination
>
>   


-- 
------------------------------------------------------------
        Inter at zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni.it           
------------------------------------------------------------