The TYPO3 Install Tool - great help for Blackhats

Posted in TYPO3/ on April 21, 2009 by Marcus.

Protect the TYPO3 Install Tool

The TYPO3 install tool is a great help when initially installing TYPO3, configuring TYPO3 or debugging it.
As it should run during the install process, it's a complete isolated module. It is restricted by a password only.

When TYPO3 is running smoothly, there's no need to let the tool enabled. Enabling it is done with creation of one single file called
typo3conf/ENABLE_INSTALL_TOOL

Obviously the first task is to change the initial password (joh316) to something different and more complex. Just assign the md5-hash of the new password to
$TYPO3_CONF_VARS['BE']['installToolPassword']
and put the line in file
typo3conf/localconf.php

If you regulary need to access the tool, set up an additional barrier like a htaccess protection for directory
typo3/install

So what's the problem of the install tool?

It allows to modify files with the rights of the web server user account. If someone unauthorized gains access to the tool, he has the same possibilities like somebody with a local user account on the web server.

In the past there were several reports where Blackhats used the TYPO3 Install Tool to setup a webshell on the server. You obviously want to avoid that.

 

If your website administrators need to use the TYPO3 Install Tool and therefore are able to create the ENABLE_INSTALL_TOOL file by themselfes (using ftp access or whatever), you might want to consider running an hourly cronjob to remove these files again.

Call following command every hour as root:
find / -name ENABLE_INSTALL_TOOL -type f -mmin +60 -exec rm -f {} \;

This removes such files if they are older than 60 minutes.