2 /***************************************************************
5 * (c) 2009 Ingo Renner <ingo@typo3.org>
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
27 * Performs several checks about the system's health
29 * @author Ingo Renner <ingo@typo3.org>
33 class tx_reports_reports_status_SecurityStatus
implements tx_reports_StatusProvider
{
36 * Determines the Install Tool's status, mainly concerning its protection.
38 * @see typo3/sysext/reports/interfaces/tx_reports_StatusProvider::getStatus()
40 public function getStatus() {
41 $this->executeAdminCommand();
44 'adminUserAccount' => $this->getAdminAccountStatus(),
45 'encryptionKeyEmpty' => $this->getEncryptionKeyStatus(),
46 'fileDenyPattern' => $this->getFileDenyPatternStatus(),
47 'htaccessUpload' => $this->getHtaccessUploadStatus(),
48 'installToolEnabled' => $this->getInstallToolProtectionStatus(),
49 'installToolPassword' => $this->getInstallToolPasswordStatus(),
56 * Checks whether a an BE user account named admin with default password exists.
58 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether a default admin account exists
60 protected function getAdminAccountStatus() {
61 $value = $GLOBALS['LANG']->getLL('status_ok');
63 $severity = tx_reports_reports_status_Status
::OK
;
65 $whereClause = 'username = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('admin', 'be_users')
66 . ' AND password = ' . $GLOBALS['TYPO3_DB']->fullQuoteStr('5f4dcc3b5aa765d61d8327deb882cf99', 'be_users')
67 . t3lib_BEfunc
::deleteClause('be_users');
68 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
69 'uid, username, password',
73 if ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
74 $value = $GLOBALS['LANG']->getLL('status_insecure');
75 $severity = tx_reports_reports_status_Status
::ERROR
;
77 $editUserAccountUrl = 'alt_doc.php?returnUrl=index.php&edit[be_users][' . $row['uid'] . ']=edit';
79 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.backend_admin'),
80 '<a href="' . $editUserAccountUrl . '">',
84 $GLOBALS['TYPO3_DB']->sql_free_result($res);
86 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
87 $GLOBALS['LANG']->getLL('status_adminUserAccount'), $value, $message, $severity
92 * Checks whether the encryption key is empty.
94 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the encryption key is empty or not
96 protected function getEncryptionKeyStatus() {
97 $value = $GLOBALS['LANG']->getLL('status_ok');
99 $severity = tx_reports_reports_status_Status
::OK
;
101 if (empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])) {
102 $value = $GLOBALS['LANG']->getLL('status_insecure');
103 $severity = tx_reports_reports_status_Status
::ERROR
;
105 $url = 'install/index.php?redirect_url=index.php'
106 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
109 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_encryption'),
110 '<a href="' . $url . '">',
115 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
116 $GLOBALS['LANG']->getLL('status_encryptionKey'), $value, $message, $severity
121 * Checks if fileDenyPattern was changed which is dangerous on Apache
123 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether the file deny pattern has changed
125 protected function getFileDenyPatternStatus() {
126 $value = $GLOBALS['LANG']->getLL('status_ok');
128 $severity = tx_reports_reports_status_Status
::OK
;
130 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
) {
131 $value = $GLOBALS['LANG']->getLL('status_insecure');
132 $severity = tx_reports_reports_status_Status
::ERROR
;
134 $url = 'install/index.php?redirect_url=index.php'
135 . urlencode('?TYPO3_INSTALL[type]=config#set_encryptionKey');
138 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
140 . htmlspecialchars(FILE_DENY_PATTERN_DEFAULT
)
145 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
146 $GLOBALS['LANG']->getLL('status_fileDenyPattern'), $value, $message, $severity
151 * Checks if fileDenyPattern allows to upload .htaccess files which is
152 * dangerous on Apache.
154 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether it's possible to upload .htaccess files
156 protected function getHtaccessUploadStatus() {
157 $value = $GLOBALS['LANG']->getLL('status_ok');
159 $severity = tx_reports_reports_status_Status
::OK
;
161 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
&& t3lib_div
::verifyFilenameAgainstDenyPattern('.htaccess')) {
162 $value = $GLOBALS['LANG']->getLL('status_insecure');
163 $severity = tx_reports_reports_status_Status
::ERROR
;
164 $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_htaccess');
167 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
168 $GLOBALS['LANG']->getLL('status_htaccessUploadProtection'), $value, $message, $severity
173 * Checks whether memcached is configured, if that's the case we asume it's also used.
175 * @return boolean True if memcached is used, false otherwise.
177 protected function isMemcachedUsed() {
178 $memcachedUsed = false;
180 $memcachedServers = $this->getConfiguredMemcachedServers();
181 if (count($memcachedServers)) {
182 $memcachedUsed = true;
185 return $memcachedUsed;
190 * Executes commands like removing the Install Tool enable file.
194 protected function executeAdminCommand() {
195 $command = t3lib_div
::_GET('adminCmd');
198 case 'remove_ENABLE_INSTALL_TOOL':
199 unlink(PATH_site
. 'typo3conf/ENABLE_INSTALL_TOOL');
205 * Checks whether the Install Tool password is set to its default value.
207 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing the security of the install tool password
209 protected function getInstallToolPasswordStatus() {
210 $value = $GLOBALS['LANG']->getLL('status_ok');
212 $severity = tx_reports_reports_status_Status
::OK
;
214 if ($GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] == md5('joh316')) {
215 $value = $GLOBALS['LANG']->getLL('status_insecure');
216 $severity = tx_reports_reports_status_Status
::ERROR
;
218 $changeInstallToolPasswordUrl = 'install/index.php?redirect_url=index.php'
219 . urlencode('?TYPO3_INSTALL[type]=about');
222 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_password'),
223 '<a href="' . $changeInstallToolPasswordUrl . '">',
228 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
229 $GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity
236 * Checks for the existance of the ENABLE_INSTALL_TOOL file.
238 * @return tx_reports_reports_status_Status An tx_reports_reports_status_Status object representing whether ENABLE_INSTALL_TOOL exists
240 protected function getInstallToolProtectionStatus() {
241 $enableInstallToolFile = PATH_site
. 'typo3conf/ENABLE_INSTALL_TOOL';
242 $value = $GLOBALS['LANG']->getLL('status_disabled');
244 $severity = tx_reports_reports_status_Status
::OK
;
246 $enableInstallToolFileExists = is_file($enableInstallToolFile);
248 if ($enableInstallToolFileExists ||
($enableInstallToolFileExists && trim(file_get_contents($enableInstallToolFile)) === 'KEEP_FILE')) {
249 $value = $GLOBALS['LANG']->getLL('status_enabled');
250 $severity = tx_reports_reports_status_Status
::WARNING
;
252 $disableInstallToolUrl = t3lib_div
::getIndpEnv('TYPO3_REQUEST_URL')
253 . '&adminCmd=remove_ENABLE_INSTALL_TOOL';
256 $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled'),
257 '<span style="white-space: nowrap;">' . $enableInstallToolFile . '</span>');
258 $message .= ' <a href="' . $disableInstallToolUrl . '">'
259 . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.install_enabled_cmd')
263 return t3lib_div
::makeInstance('tx_reports_reports_status_Status',
264 $GLOBALS['LANG']->getLL('status_installTool'), $value, $message, $severity
271 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE
]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_systemstatus.php']) {
272 include_once($TYPO3_CONF_VARS[TYPO3_MODE
]['XCLASS']['ext/reports/reports/status/class.tx_reports_reports_status_systemstatus.php']);