Feature #82002: Implement first installation token - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Feature #82002

open

Implement first installation token

Added by Oliver Hader over 7 years ago. Updated about 1 month ago.

Status:

Accepted

Priority:

Should have

Assignee:

Category:

Security

Target version:

Candidate for Major Version

Start date:

2017-07-29

Due date:

% Done:

Estimated time:

PHP Version:

Tags:

Complexity:

Sprint Focus:

Description

see https://www.golem.de/news/certificate-transparency-hacking-web-applications-before-they-are-installed-1707-129172.html

Steps for TYPO3

TYPO3 creates FIRST_INSTALL.php (name to be discussed) file on first request with some random token
admin has to open that file and copy&paste the token to the Install Tool
only the created session with the correct token in the step-installer allows to take further actions

Actions

Copy link

Updated by Helmut Hummel over 7 years ago

create FIRST_INSTALL file on first request with some random token

By default this file is in document root, which means it can be downloaded

Actions

Copy link

Updated by Oliver Hader over 7 years ago

Description updated (diff)

Actions

Copy link

Updated by Oliver Hader over 7 years ago

Helmut Hummel wrote:

create FIRST_INSTALL file on first request with some random token

By default this file is in document root, which means it can be downloaded

True. I adjusted the description which is of course still topic to be discussed and not the "final list".

Actions

Copy link

Updated by Oliver Hader over 7 years ago

OTRS-Sec Ticket-ID set to 201704095760000011

Actions

Copy link

Updated by Benni Mack about 7 years ago

we could rename it to ".FIRST_INSTALL"

Actions

Copy link

Updated by Oliver Hader about 7 years ago

Status changed from New to Accepted

As the article mentions that TYPO3 is not that bad compared to other CMS vendors - since we have the FIRST_INSTALL semaphore already in place - this is considered as feature for TYPO3 9.

Actions

Copy link