t3olayout issues
https://git.typo3.org/services/t3o-sites/common/t3olayout/-/issues
2024-03-25T20:11:28Z
https://git.typo3.org/services/t3o-sites/common/t3olayout/-/issues/385
Newslist
2024-03-25T20:11:28Z
Lorenz Losmann
Newslist
* [x] Reduce margins up until breakpoint XL
* [x] Remove hover-bg
* [ ] hover font-color to $brand-primary
* [ ] headline margin-bottom: .25rem
* [x] See #395: Fix list-element margins
![Bildschirmfoto_2017-12-21_um_22.39.17](/uploads/5...
* [x] Reduce margins up until breakpoint XL
* [x] Remove hover-bg
* [ ] hover font-color to $brand-primary
* [ ] headline margin-bottom: .25rem
* [x] See #395: Fix list-element margins
![Bildschirmfoto_2017-12-21_um_22.39.17](/uploads/5096c64381f4c507f7c6074eaf900fba/Bildschirmfoto_2017-12-21_um_22.39.17.png)
_Ready for sprint
Siddharth Sheth
Siddharth Sheth
https://git.typo3.org/services/t3o-sites/common/t3olayout/-/issues/334
Implement Brute Force Protection for BE and FE login
2024-03-25T20:07:35Z
Stefan Busemann
Implement Brute Force Protection for BE and FE login
It should be possible to implement such a protection using hooks in unser authentication
This is not critical, but nice to have as we provide quite some services t3org accounts.
From https://forge.typo3.org/issues/55944
Hi Christian,...
It should be possible to implement such a protection using hooks in unser authentication
This is not critical, but nice to have as we provide quite some services t3org accounts.
From https://forge.typo3.org/issues/55944
Hi Christian,
thanks for looking into this.
First off: The main goal of my request is to protect user accounts because a compromised account can cause a lot of issues, especially for "valuable" accounts with lots of permissions bound to it.
Brute force protection consists of three parts:
Monitoring
Detection of "irregular" patterns
Notifications or other actions based on these patterns
Christian Zenker wrote:
Brute Forcing an account: An attacker tries to get access to a specific account. Easy to detect by number of failed logins for a specific username.
A specific username, may it exist or not.
Brute Forcing any account (single IP): An attacker tries to get access to any account. Easy to detect by number of failed logins by IP.
Brute Forcing any account (multiple IPs): Multiple attackers try to get access to any account. Detection hard to impossible.
From my understanding, these two do not differ too much and do not necessarily be distinguished when creating a pattern.
Regarding the main goal I mentioned above they are also not so relevant, if we assume that users have reasonable passwords.
They are of course relevant if we also want to protect accounts with (very) weak passwords (which could be implemented on top)
Regarding the possibility to detect these scenarios: If we would implement monitoring of failed login attempts and build metrics from this data
I think it would still be possible to detect deviance from "normal" patterns and at least could notify admins.
But I agree that this would involve quite some work.
Counter Measures
Blocking username. Problem: A malicious attacker could easily block access to a user account.
Blocking IPs. Problem: Proxies aka. company networks
Captchas. Problem: Heavy logic and deep integration in extension if you want them optional for only some users/IPs.
Regularily changing passwords. Problem: user acceptance.
Authentication delay aka "Wait 3 seconds before showing a result". Problem: does not work for parallelized attacks. Possible DOS on webserver.
Should admin accounts also be affected?
Should there be a whitelist of IPs?
Should there be a way to "unblock" users/ips? Who takes care of this?
It's really hard to do this right (I would even say it is impossible). So what do you expect from a solution? How much user convenience are we willing to sacrifice?
Yes, it involves work. Is it possible to make it 100% secure? No. This is not possible at all, for nothing.
Can we implement a solution that mitigates most of the attack vectors and does not involve 10 people constantly watching failed login patterns 24/7?
I absolutely think so.
If we focus on protecting single accounts I would suggest following countermeasures:
Log and count failed logins of (valid/existing) user accounts (mandatory)
Reset the counter after a certain period of time and after a successful login. (mandatory)
Present a captcha after 5 failed logins (optional but makes sense)
Block access to the account after 10 failed logins and at the same time inform the account owner by mail about that with a link to re-activate the account (mandatory)
Is this perfect? Probably not. But it is much better than nothing and users are only bothered when really something strange is going on.
Also, are you aware of any TYPO3 extensions that could be used? Other frameworks/infrastructure that might help?
Unfortunately not. A quick search revealed https://github.com/codeconsortium/CCDNUserSecurityBundle which might be interesting, but I have not looked at it.
Hi Helmut.
I'd like to ask for some of your ideas on details.
Attack Scenarios
Brute Forcing an account: An attacker tries to get access to a specific account. Easy to detect by number of failed logins for a specific username.
Brute Forcing any account (single IP): An attacker tries to get access to any account. Easy to detect by number of failed logins by IP.
Brute Forcing any account (multiple IPs): Multiple attackers try to get access to any account. Detection hard to impossible.
Anything else?
Counter Measures
Blocking username. Problem: A malicious attacker could easily block access to a user account.
Blocking IPs. Problem: Proxies aka. company networks
Captchas. Problem: Heavy logic and deep integration in extension if you want them optional for only some users/IPs.
Regularily changing passwords. Problem: user acceptance.
Authentication delay aka "Wait 3 seconds before showing a result". Problem: does not work for parallelized attacks. Possible DOS on webserver.
Anything else?
Other problems
Should admin accounts also be affected?
Should there be a whitelist of IPs?
Should there be a way to "unblock" users/ips? Who takes care of this?
Anything else?
Sum up
It's really hard to do this right (I would even say it is impossible). So what do you expect from a solution? How much user convenience are we willing to sacrifice?
Also, are you aware of any TYPO3 extensions that could be used? Other frameworks/infrastructure that might help?
Further reading/ideas
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Login
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
_Ready for sprint
https://git.typo3.org/services/t3o-sites/common/t3olayout/-/issues/333
Ask the user if the resource currently used was helpfull
2024-03-25T20:07:27Z
Stefan Busemann
Ask the user if the resource currently used was helpfull
http://typo3.org/extension-manuals/th_feedback/0.0.3/view/1/4/
Big companies like google and microsoft use things like that for quality assurance to enhance their articles.
![2013-08-29_17-06-40](/uploads/637de704236470220ff7163cb1e537...
http://typo3.org/extension-manuals/th_feedback/0.0.3/view/1/4/
Big companies like google and microsoft use things like that for quality assurance to enhance their articles.
![2013-08-29_17-06-40](/uploads/637de704236470220ff7163cb1e537be/2013-08-29_17-06-40.png)
https://forge.typo3.org/issues/46527
_Ready for sprint
NITSAN
sanjay@nitsan.in
NITSAN
sanjay@nitsan.in
https://git.typo3.org/services/t3o-sites/common/t3olayout/-/issues/322
Provide copyright infos of pictures
2024-03-25T20:05:14Z
Stefan Busemann
Provide copyright infos of pictures
This is a small example ts from @mabolek
```
lib.footer.copyright = TEXT
lib.footer.copyright {
data = date:U
strftime = %Y
noTrimWrap= |<p class="copyright"> &copy; | {$themes.configuration.footer.copyright}</p>|
appen...
This is a small example ts from @mabolek
```
lib.footer.copyright = TEXT
lib.footer.copyright {
data = date:U
strftime = %Y
noTrimWrap= |<p class="copyright"> © | {$themes.configuration.footer.copyright}</p>|
append = CONTENT
append {
table = tt_content
select {
selectFields = sys_file_metadata.*, tt_content.uid as contentuid
pidInList = this
orderBy = tt_content.sorting
join = sys_file_reference ON sys_file_reference.uid_foreign = tt_content.uid JOIN sys_file_metadata ON sys_file_reference.uid_local = sys_file_metadata.file
where = sys_file_reference.tablenames = 'tt_content' AND sys_file_reference.table_local = 'sys_file' AND sys_file_metadata.copyright != '' AND sys_file_reference.deleted = 0 AND sys_file_reference.hidden = 0
groupBy = sys_file_reference.uid_local
}
renderObj = COA
renderObj {
10 = IMAGE
10 {
file {
import.field = file
height = 20
}
}
20 = TEXT
20 {
field = copyright
noTrimWrap = | ©| |
htmlSpecialChars = 1
}
stdWrap.required = 1
stdWrap.typolink {
parameter.field = contentuid
parameter.wrap = #c|
}
stdWrap.wrap = <span>|</span>
}
stdWrap.required = 1
stdWrap.noTrimWrap = |<p class="copyright">Photo Copyright: |</p>|
}
}
```
We could provide copyright information of the used photos
Todos:
* decide if needed
* Define a design
_Ready for sprint