14 Sep
2007
14 Sep
'07
2:26 a.m.
Quoting Earl Miles <merlin@logrus.com>:
By allowing uploaded files to be run as code, any minor bug in the server or site software, anywhere, that could allow the uploading of arbitrary files could then ovewrite code that is run; this could then allow a much larger hack that could totally take over the site.
Uhm, the only one able to write to the files/jquery directory would be Administrative types that want to install a jQuery plugin. Allowing others to do that would be ludicrous. If this is such a big security issue then the image modules better be careful!! This includes the avatar in the profile modules. Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/