Protect your database

Posted in database/ on April 21, 2009 by Marcus.

Limit access to the database server

You have a web application firewall or even a dedicated appliance to protect your web server? If so, that's great. But, what are you doing to protect the data itself?

The database server much more deserves to be properly secured; it's where your actual data is stored. The web server together with TYPO3 Core is just a nice frontend to the database.

To back that up:
In February 2009, TYPO3 fixed a severe vulnerability where any file the web server user account has access to was exposed to website users. (TYPO3-SA-2009-002). Crackers exploited that vulnerability and placed a fake message on the website of the well-known german soccer team FC Schalke 04. That message announced the dismissal of a player. You can imagine that this attracted attention by press and damaged the teams reputation.

According to reports, the cracker did not use TYPO3 at all. No, he just connected to the database server with the credentials he gained by exploiting the vulnerability and modified data there.

So the web site service provider failed to secure the database server.

 

How to avoid it:

If your web and database server are on the same host, there's no need to let the database server listen on a publicly available interface. Bind the server to localhost (127.0.0.1) only!

If your web and database server are on different hosts, restrict access to the database server with a firewall rule to the subnet only where you web servers are running in. The connection could be secured by using a VPN or VLAN.

Then, on the database server itself, let the database user only connect from a specific IP or subnet to the TYPO database. (see tutorial IP restricted DB access)

Permalink | Comments: 0
Tags:  TYPO3 Security Blog
Views: 0

First things first

Posted in advisory/ on April 21, 2009 by Marcus.

Subscribe to the announce mailinglist

As security aware person you want to be informed of security updates. Nothing easier than that. The TYPO3 announce mailinglist is a low traffic list; only common major minor releases are announced besides the important security updates.

On that list, security fixes for the TYPO3 Core and for TYPO3 extensions (available in TER) are announced.

In the past, for severe vulnerabilities and according security fixes pre-announcement have been posted there so that every TYPO3 admin is prepared for immediate action.

So, if you are maintaining TYPO3 websites, please make sure to be subscribed to that list.

Subscribe now!

 

In addition, you might want to subscribe to the Security newsfeed listed on http://news.typo3.org/xml-feeds/

Both, announce mailinglist and security newsfeed are updated when there's a new security advisory. But in case of mail server problems on your side you may want have a backup in place - the security news feed.

Permalink | Comments: 2
Tags:  mailinglist
Views: 1

Categories

  • advisory(9)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(23)

Tag cloud