Remove old code after a security update
|Priority:||Should have||Due date:|
The Security Guide should recommend that administrators should remove any code from the server after a security update.
We sometimes see that system administrators update the TYPO3 core because of a security issue by extracting the new TYPO3 sources, changing the symlink but leaving the sources of the previous TYPO3 version on the system. As a consequence, the insecure code is still accessible and a security vulnerability possibly exploitable. The advice should be that the old (possibly insecure) code should be removed as soon as possible.
The risk is a little bit lower with TYPO3 extensions, because usually EM takes care about the update and replaces the existing directory of the extension. However, I came across servers in the past, where the admin created a backup of the extension directory before updating the extension. So the extension directory looks like:
Same issue here... same advice :-)
Updated by Chris topher 6 months ago
For the TYPO3 source code you probably are most secure, if you remove the old TYPO3 source code. However, you do not necessarily have to do this in order to stay secure. Another option is to use symlinks in a clever way. :-)
A common setup I found at different hosters already is that the TYPO3 source code is stored outside the webroot directory. Only the version you want (probably the current version) is then symlinked from the TYPO3 installation. That way old versions (the source code of which might still be there) are not reachable from outside.