Bug #18412
closedTypo3 puts all files under the webserver's document root
0%
Description
The most basic concept in security is to allow is little as possible. Applied to web appliciations this means to make only that ressources accessible through the webserver, that are meant to be requested by the visitor directly.
Typo3 seems to ignore this concept completely, putting everything into the document root. From a security point of view this is ridiculous.
The implication of this is, that ordinary visitors may download files that the administrator of the site didn't mean to publish, ranging from confidental documents, over raw template files to PHP scripts ending with .inc that contain database access credentials.
The concept of a "fileadmin" folder that is used to both store interal data like HTML templates and publish files like images seems flawed to me because it serves two different purposes.
I suggest treating the Typo3 source like real library, by not making it accessible through the webserver, but only create symlinks into the webserver's root for the few ressources that need to be accessible through it. (Mostly images probably)
The same applies to the Typo3 instances including typo3conf, the fileadmin and the extensions.
(issue imported from #M7808)