Bug #17213
closed
Storing ENABLE_INSTALL_TOOL in typo3conf is possibly insecure
0%
Description
Since TYPO3 Version 4.1 the install tool can be enabled by placing an empty file ENABLE_INSTALL_TOOL in the typo3conf folder.
The directory typo3conf itself has to be writeable for the webserver (temp files, extensions, etc.). A possible attack would utilize an insecure extension or user generated php-code etc. to create this file, since the webserver has sufficient rights to do so!
The functionality in earlier versions was more secure concerning this attack, since the install tools index.php itself had to be changed and is not webserver writeable by default. But the old behaviour is not desireable in any way, because it was not possible to selectively enable the install tool on a single site.
Fixing this issue would mean to store the file in a folder that is not writeable for the webserver (needless to say, this depends on individual file permissions), e.g. htdocs or even some other directory outside htdocs.
Change
-------------------------------------------
$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
----------------- to ----------------------
$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/ENABLE_INSTALL_TOOL';
(issue imported from #M5440)
Updated by 
Updated by 
Updated by 
Updated by 
Updated by