[TYPO3-ect] Securing typo3conf
Ernesto Baschny [cron IT]
ernst at cron-it.de
Wed Sep 10 17:03:27 CEST 2008
Steffen Ritter wrote: on 08.09.2008 16:51:
> Hi,
> whenever there is a pulic part of the Extension it would be easy to
> check if the extension exists or not. Because everybody knows what would
> be in this public part an may test for. Random path would no help either
> because in you HTML Code the path to the public folder has to be
> included, to use CSS or Images and so on.
>
> But as others said before: I do not think that there is a security risk.
> Even if they know what Extensions im Using it would be difficult to
> determine the version.
> So far...
It is usually very easy, just grab
http://domain/typo3conf/ext/tt_news/ChangeLog or some other text file
that is not protected per se.
In TYPO3 v5 there is a clear distinction between those parts that are
the "code" and the public resources, which are handled by some resource
manager. So if it is a confort, that problem is well known and will be
handled much better in TYPO3 v5, but I guess there is no easy solution
to that in TYPO3 v4.
Cheers,
Ernesto
More information about the TYPO3-team-extension-coordination
mailing list