[development] jQuery 1.2 is released

Larry Garfield larry at garfieldtech.com
Sat Sep 15 22:51:58 UTC 2007

If you can get an exploit that allows arbitrary PHP execution, then all you'd need to do is write a new hacked javascript file and then update the database with a new md5sum.  Voila, it won't be detected.  

And having Drupal (or your OS, or browser, or anything else) auto-install files without asking you is a bad idea in general.  The user/admin should always have to be notified of and pre-approve any changes to the installed software.  To do otherwise is just begging for the system to auto-download its own crack.

--Larry Garfield

On Sat, 15 Sep 2007 10:32:30 -0700, "Dmitri G" <dmitrig01 at gmail.com> wrote:
> I don't understand how the DB can be compromized.  Could you clarify?  The
> way I was thinking was running md5_file on the newly downloaded files, and
> saving in to a table with md5 and filename.  In hook_cron, it re-md5's the
> files, and checks against the DB. Maybe if it's not very expensive, we
> could
> even run it every few page loads to be even faster.  Maybe provide a
> slider,
> security vs. speed? :D
> On 9/15/07, Earl Miles <merlin at logrus.com> wrote:
>> D G wrote:
>> > Why not include an MD5 hash in the DB? When you first download the
>> > javascript, it takes an MD5 hash of the file(s) and stores them in the
>> > database.  Every cron, it checks.  If they are not the same, it
>> > re-downloads.
>> Interesting idea, that. It's a step, though the db can also be
>> compromised, if the md5 is re-downloaded regularly that can be mitigated
>> somewhat. That actually does have some merit to it (and it's pretty much
>> why yum and apt-get are trustworthy).

More information about the development mailing list