What is the note from security team supposed to mean?
Steve Dondley - April 17, 2007 - 04:03
| Project: | Module Installer |
| Version: | 5.x-1.x-dev |
| Component: | Documentation |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
What does "Note from security team: this module should only be tested on localhost." mean? It's rather cryptic.
Does that mean the database should be accessible only from the localhost?
#1
There are some security concerns, particularly if you were to use this module on a site with multiple admin users as it doesn't really check to make sure that the address you feed it is an official contrib module, etc..
Some of these issues are fixed in the 5.x dev snapshot, but there are a couple of places that really need some security tightening up. I have the solutions, what is required is simply the time to implement them or for someone to volunteer.
#2
I currently use combination of update status module and modules installer to keep my modules up to date, they work pretty fine for weeks now. my site has only one admin, should i still be worry?
I might be able to contribute for solving this security issues, but i need more information.
#3
I just fixed the note from the team to be more explicit:
Note from security team: If your webserver can write your modules that is a severe security weakness. The security team strongly advises users not to install this module.
Hope that helps... ;)
We think this module should be unpublished.
#4
See http://drupal.org/node/211252 for more specifics.