[TYPO3-ect] Securing typo3conf
Tonix (Antonio Nati)
tonix at interazioni.it
Wed Sep 10 17:37:16 CEST 2008
Ernesto Baschny [cron IT] ha scritto:
> Steffen Ritter wrote: on 08.09.2008 16:51:
>
>> Hi,
>> whenever there is a pulic part of the Extension it would be easy to
>> check if the extension exists or not. Because everybody knows what would
>> be in this public part an may test for. Random path would no help either
>> because in you HTML Code the path to the public folder has to be
>> included, to use CSS or Images and so on.
>>
>> But as others said before: I do not think that there is a security risk.
>> Even if they know what Extensions im Using it would be difficult to
>> determine the version.
>> So far...
>>
>
> It is usually very easy, just grab
> http://domain/typo3conf/ext/tt_news/ChangeLog or some other text file
> that is not protected per se.
>
> In TYPO3 v5 there is a clear distinction between those parts that are
> the "code" and the public resources, which are handled by some resource
> manager. So if it is a confort, that problem is well known and will be
> handled much better in TYPO3 v5, but I guess there is no easy solution
> to that in TYPO3 v4.
>
>
It is important to know this problem is known and will be solved in future.
Thanks,
Tonino
> Cheers,
> Ernesto
> _______________________________________________
> TYPO3-team-extension-coordination mailing list
> TYPO3-team-extension-coordination at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-extension-coordination
>
>
--
------------------------------------------------------------
Inter at zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix at interazioni.it
------------------------------------------------------------
More information about the TYPO3-team-extension-coordination
mailing list