[development] jQuery 1.2 is released
Larry Garfield
larry at garfieldtech.com
Sat Sep 15 22:51:58 UTC 2007
If you can get an exploit that allows arbitrary PHP execution, then all you'd need to do is write a new hacked javascript file and then update the database with a new md5sum. Voila, it won't be detected.
And having Drupal (or your OS, or browser, or anything else) auto-install files without asking you is a bad idea in general. The user/admin should always have to be notified of and pre-approve any changes to the installed software. To do otherwise is just begging for the system to auto-download its own crack.
--Larry Garfield
On Sat, 15 Sep 2007 10:32:30 -0700, "Dmitri G" <dmitrig01 at gmail.com> wrote:
> I don't understand how the DB can be compromized. Could you clarify? The
> way I was thinking was running md5_file on the newly downloaded files, and
> saving in to a table with md5 and filename. In hook_cron, it re-md5's the
> files, and checks against the DB. Maybe if it's not very expensive, we
> could
> even run it every few page loads to be even faster. Maybe provide a
> slider,
> security vs. speed? :D
>
> On 9/15/07, Earl Miles <merlin at logrus.com> wrote:
>>
>> D G wrote:
>> > Why not include an MD5 hash in the DB? When you first download the
>> > javascript, it takes an MD5 hash of the file(s) and stores them in the
>> > database. Every cron, it checks. If they are not the same, it
>> > re-downloads.
>>
>> Interesting idea, that. It's a step, though the db can also be
>> compromised, if the md5 is re-downloaded regularly that can be mitigated
>> somewhat. That actually does have some merit to it (and it's pretty much
>> why yum and apt-get are trustworthy).
>>
>
>
More information about the development
mailing list