Feature #23987
closed
Install Tool always unlocked when accessed via 127.0.0.1
Added by Marcus Raphelt about 14 years ago.
Updated about 11 years ago.
Description
If accessed via 127.0.0.1, the install tool can always be accessed, regardless if there is a ENABLE_INSTALL_TOOL file or not.
While this is okay on a development machine, it may be a security leak in productive environments:
We've got one client that runs a reverse proxy and the Website on the same machine. The backend vhost therefore gets all requests from 127.0.0.1, so the install tool is always open.
My Suggestion: add a conf var like $TYPO3_CONF_VARS['BE']['installToolAlwaysAllowFromLocalhost'] that defaults to false.
(issue imported from #M16304)
Hi,
i can't reproduce this with my local MAMP setup with TYPO3 4.4.4.
The install tool is locked even when accessed via 127.0.0.1. I also can't find an exception in the source of the install tool for 127.0.0.1.
Please check this again.
Sorry, picked the wrong version.
It's okay in 4.4.x, but present in 4.2.15:
typo3/install/index.php
55 // Change 1==2 to 1==1 if you want to lock the Install Tool regardless of the file ENABLE_INSTALL_TOOL
56 if (1==2 || ($_SERVER['REMOTE_ADDR']!='127.0.0.1' && !is_file($enableInstallToolFile))) {
57 header('Cache-Control: no-cache, must-revalidate');
Hi Marcus,
please see #20878, which is about exactly this problem. People agreed not to create a new switch there, but to just remove the check for 127.0.0.1.
Please make a patch which fixes this issue the same way and send it to Core List, pointing people to the discussion of #20878! Basically I think committing the patch has been forgotten there and should still be done.
Thank you!
- Category set to Install Tool
- Status changed from Accepted to Closed
- Target version deleted (
0)
Can't find this source part any more.
If you think, that this is the wrong decision, then please write to the mailing list typo3.teams.bugs with issue number and an explanation.
Also available in: Atom
PDF