[development] jQuery 1.2 is released

Gábor Hojtsy gabor at hojtsy.hu
Thu Sep 13 15:36:46 UTC 2007


On 9/13/07, Daniel F. Kudwien <news at unleashedmind.com> wrote:
> > Um, perhaps you all have not seen previous threads about the hazards of
> > allowing executable code in a writeable directory?
> >
> > -Peter
>
> By referencing to those 'obvious' discussions without any link or quote, I'm
> feeling quite stupid now. I've searched drupal.org, the development list
> archives and Google for the terms executable, code, writeable, directory(,
> drupal). Guess what? I did not find any thread containing useful,
> deep-insight information about why other systems like JOS/MOS are (more or
> less) successfully using writable directories for their modules [components]
> for quite some time now and Drupal is not.
>
> Could someone please direct me/us to some einlightening issues and/or
> threads? That would be greatly appreciated.

Consider this:

 - a PHP script has write access to your module folders (where PHP
scripts reside)
 -> if any small remote injection vulnerability is found in Drupal or
any module you use, anyone can plant arbitrary PHP scripts on your
site
 -> even if your system is "100% secure", if you are on a shared host,
most of the time you get a PHP process which runs under the same user
name/permission for all sites... if there is any vulnerability in any
of the other sites, anyone can plant arbitrary PHP scripts on your
system
 -> alternatively people whom you share your server with can write
targeted code to easily plant arbitrary PHP scripts in your webroot

In short: As long as PHP scripts are allowed to write directories,
where PHP scripts are stored, any PHP script running on the server can
write to that directory, either on purpose or by exploiting security
holes.

Gabor


More information about the development mailing list