Hi everybody, some questions which I wasn't able to find an answer to, searching the web and the Drupal site (as I mentioned before, the link for searching the support list archives is broken, hence I couldn't search there).
Some of the sites I'm creating do not give to users the ability to create content, nor to comment anything.
Only administrators can create content and post comments, as well as creating new accounts (but those sites will have just a handful of users in any case, the administrators themselves).
So the question is: in such a scenario, is it mandatory to run updates - especially security updates?
My knowledge about security issues borders the zero line, hence I really don't know how much risk I would be taking by not running updates regularly - by the way, regular backups are a rule for me in any case, moreover because I could break the site myself ;-)
Imagine now I give anonymous users the ability to comment, while keeping all content creation permissions for administrators, would then an outdated site still be safe?
And finally, since I will be using the Views module, are Views arguments an entry point for attacks, forcing me to run updates?
Thank you for your attention, kind regards, Francesco
Any data from a user is a possible attack vector for potential hackers. I'd say that if users can't create or modify content you're safer, but I'd still run updates. Not only do the updates fix security problems, they provide bug fixes which might improve the functioning of your site.
On 5/15/09, Francesco entuland@gmail.com wrote:
Hi everybody, some questions which I wasn't able to find an answer to, searching the web and the Drupal site (as I mentioned before, the link for searching the support list archives is broken, hence I couldn't search there).
Some of the sites I'm creating do not give to users the ability to create content, nor to comment anything.
Only administrators can create content and post comments, as well as creating new accounts (but those sites will have just a handful of users in any case, the administrators themselves).
So the question is: in such a scenario, is it mandatory to run updates
- especially security updates?
My knowledge about security issues borders the zero line, hence I really don't know how much risk I would be taking by not running updates regularly - by the way, regular backups are a rule for me in any case, moreover because I could break the site myself ;-)
Imagine now I give anonymous users the ability to comment, while keeping all content creation permissions for administrators, would then an outdated site still be safe?
And finally, since I will be using the Views module, are Views arguments an entry point for attacks, forcing me to run updates?
Thank you for your attention, kind regards, Francesco -- [ Drupal support list | http://lists.drupal.org/ ]
Hi Justin, thank you for your response. These words of yours:
Any data from a user is a possible attack vector for potential hackers.
are just what I needed to hear. I have to explain the need of updates depending on the amount - and moreover on the configuration - of the Drupal modules to the people I am making sites for.
I'd say that if users can't create or modify content you're safer, but I'd still run updates. Not only do the updates fix security problems, they provide bug fixes which might improve the functioning of your site.
No problem for my very sites, I'm more concerned about my "clients" sites security - clients inside quotes because that's not paid work :-/ More the modules, more the updates to take care of...
Well, I'll find an arrangement.
Thanks a lot, Francesco
-
Francesco -
Justin Gruenberg