Project

General

Profile

Actions
Copy link

Feature #23987

closed

Install Tool always unlocked when accessed via 127.0.0.1

Added by Marcus Raphelt about 14 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2010-11-08
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.1
Tags:
Complexity:
Sprint Focus:

Description

If accessed via 127.0.0.1, the install tool can always be accessed, regardless if there is a ENABLE_INSTALL_TOOL file or not.

While this is okay on a development machine, it may be a security leak in productive environments:

We've got one client that runs a reverse proxy and the Website on the same machine. The backend vhost therefore gets all requests from 127.0.0.1, so the install tool is always open.

My Suggestion: add a conf var like $TYPO3_CONF_VARS['BE']['installToolAlwaysAllowFromLocalhost'] that defaults to false.

(issue imported from #M16304)

Related issues 2 (0 open2 closed)

Is duplicate of TYPO3 Core - Bug #20878: Remove the bypass to log in from the local loopback deviceClosedSteffen Kamper2009-08-14

Actions
Has duplicate TYPO3 Core - Bug #21724: Local reverse proxy disables ENABLE_INSTALL_TOOL checkClosed2009-11-28

Actions
Actions
Copy link
 #1

Updated by Kevin Ulrich Moschallski about 14 years ago

Hi,

i can't reproduce this with my local MAMP setup with TYPO3 4.4.4.

The install tool is locked even when accessed via 127.0.0.1. I also can't find an exception in the source of the install tool for 127.0.0.1.

Please check this again.

Actions
Copy link
 #2

Updated by Marcus Raphelt about 14 years ago

Sorry, picked the wrong version.
It's okay in 4.4.x, but present in 4.2.15:

typo3/install/index.php

55 // Change 1==2 to 1==1 if you want to lock the Install Tool regardless of the file ENABLE_INSTALL_TOOL
56 if (1==2 || ($_SERVER['REMOTE_ADDR']!='127.0.0.1' && !is_file($enableInstallToolFile))) {
57 header('Cache-Control: no-cache, must-revalidate');

Actions
Copy link
 #3

Updated by Chris topher about 14 years ago

Hi Marcus,

please see #20878, which is about exactly this problem. People agreed not to create a new switch there, but to just remove the check for 127.0.0.1.
Please make a patch which fixes this issue the same way and send it to Core List, pointing people to the discussion of #20878! Basically I think committing the patch has been forgotten there and should still be done.

Thank you!

Actions
Copy link
 #4

Updated by Alexander Opitz about 11 years ago

  • Category set to Install Tool
  • Status changed from Accepted to Closed
  • Target version deleted (0)

Can't find this source part any more.

If you think, that this is the wrong decision, then please write to the mailing list typo3.teams.bugs with issue number and an explanation.

Actions
Copy link

Also available in: Atom PDF