Author: Peter Kraume

Unprotected .git or .svn directories put your website at risk of information disclosure

Version control software is very popular among web developers. The most used tool might be Git. Unfortunately the repository directory, e.g. .git is often unprotected in production environments. These folders not only contain the source code of a website but also database credentials, API access keys or tokens for popular cloud services like Amazon AWS, salts and hashes. Even more problematic is private data contained in sql dumps or csv files. Studies e.g. by Internetwache.org or Jamie Brown show that a reasonable amount of websites is affected by this problem. There are a lot of tools available which offer the possibility to download entire Git or Subversion repositories even if directory listing is denied. To check if your Git folder is accessible via web just point your browser to www.domain.tld/.git/config. If you receive an error message, everything is fine. Otherwise you should protect your installation as soon as possible. How to disable web access: Apache The easiest approach is the global web server configuration, e.g. /etc/apache2/conf.d/security or vhost configuration: Apache <DirectoryMatch "/\.git"> Require all denied </DirectoryMatch> 123 <DirectoryMatch "/\.git">Require all denied</DirectoryMatch> Apache <DirectoryMatch "/\.svn"> Require all denied </DirectoryMatch> 123 <DirectoryMatch "/\.svn">Require all denied</DirectoryMatch> In shared hosting environments without direct access to the vhost configuration you can use the .htaccess file to deny access to repository folders: Apache RewriteEngine On RewriteRule .git - [L,R=404] RewriteRule .svn - [L,R=404] 123 RewriteEngine...

Read More

Book “Modern Extension Development for TYPO3 CMS with Extbase & Fluid” available in English

A couple of days ago Patrick Lobacher announced the immediate availability of the book “Modern Extension Development for TYPO3 CMS with Extbase & Fluid” in English language. This book is not only the translated version of the German edition but also revised to take TYPO3 CMS 7 into account. The translation has been reviewed by two English native speakers and the new book has been published by Open Source Press. The book explains how to use the Extbase framework and Fluid templating engine to extend TYPO3 CMS using modern standards. The first two chapters are starting with the basics of Object-Orientated Programming and Domain Driven Design (DDD) and then continuing with an overview of Extbase. After the theory the Domain Model Creation (Modelling) is demonstrated by using the Extension Builder. Then the book starts headfirst into the creation of your first Extbase extension by explaining the CRUD process, Fluid Templating, Query Manager and Repositories. The last chapters are about TypoScript and FlexForm Configuration, Validation and Error Handling, Relations, Creating Your Own ViewHelpers, Multi-Language, Backend Modules, The Property Mapper and Best Practices. There is a dedicated website for the book where you can find further information. The table of contents is available for download as well as an excerpt of one of the chapters. The book is internationally available. You can buy it online or in your favorite book shop (ISBN 978-3-95539-151-5). The authors Patrick Lobacher and Michael Schams took a huge effort to translate the book and see...

Read More

Have a day full of fun and prolong your TYPO3 integrator certification along the way

Today is the last day for grabbing an early bird offer for the TYPO3 Alumni #certiFUNcation Day on the 5th of June, 2015 in one of Europe’s biggest theme parks: Phantasialand near Cologne, Germany! Join, learn, and meet present and future TYPO3 Certified Integrators! So what is this all about? The TYPO3 education team is organizing a day full of workshops and fun for all current or future TYPO3 Certified Integrators. And here is the best: Just by attending the mandatory workshops your certification will be extended for an additional 12 months! Here are some facts about what’s included: Workshops about the improvements in the lastest TYPO3 versions and about security in TYPO3 Preparation workshop for the certification Live certification (no additional fee!) Theme park entrance fee including one hour of exclusive rides with the Black Mamba rollercoaster! Special evening event with dinner If you ever thought about doing the TYPO3 Certified Integrator exam you should definitely have a look at this offer! For a really cheap price you get the certification, the preparation workshop and a day full of fun. And if you’re already certified, you can easily prolong your certification without doing a the exam again! All info and a detailed FAQ about the event can be found here. Tickets are available...

Read More