[support] Is it mandatory to run updates if only trusted people can create content and comments?
Justin Gruenberg
justin.gruenberg at gmail.com
Tue May 19 21:07:38 UTC 2009
Any data from a user is a possible attack vector for potential
hackers. I'd say that if users can't create or modify content you're
safer, but I'd still run updates. Not only do the updates fix security
problems, they provide bug fixes which might improve the functioning
of your site.
On 5/15/09, Francesco <entuland at gmail.com> wrote:
> Hi everybody,
> some questions which I wasn't able to find an answer to, searching the
> web and the Drupal site (as I mentioned before, the link for searching
> the support list archives is broken, hence I couldn't search there).
>
> Some of the sites I'm creating do not give to users the ability to
> create content, nor to comment anything.
>
> Only administrators can create content and post comments, as well as
> creating new accounts (but those sites will have just a handful of
> users in any case, the administrators themselves).
>
> So the question is: in such a scenario, is it mandatory to run updates
> - especially security updates?
>
> My knowledge about security issues borders the zero line, hence I
> really don't know how much risk I would be taking by not running
> updates regularly - by the way, regular backups are a rule for me in
> any case, moreover because I could break the site myself ;-)
>
> Imagine now I give anonymous users the ability to comment, while
> keeping all content creation permissions for administrators, would
> then an outdated site still be safe?
>
> And finally, since I will be using the Views module, are Views
> arguments an entry point for attacks, forcing me to run updates?
>
> Thank you for your attention,
> kind regards,
> Francesco
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
--
Sent from my mobile device
More information about the support
mailing list