Page 1 of 1

installer and security

Posted: Wed Jan 02, 2008 10:11 pm
by docwilmot
i was asking why drupal does not have an installer for modules and was advised this was a huge security risk. but joomla obviously uses installers for components/mambots/themes/modules. in your experiences, is this a vulnerability in joomla then? have sites been compromised by way of the installer function?

Re: installer and security

Posted: Fri Jan 04, 2008 1:14 am
by eaton
There's always some degree of risk when using a web-based interface to install software on your server rather than retrieving it yourself, taking a look to make sure it's what you want, and installing it yourself. However, one of major security risks in a traditional "click here to download a plugin and install it" system is that the web app itself becomes capable of over-writing its own code.

Joomla! has a built in FTP API that (if I understand correctly) avoids some of these security issues by using a secondary application on the server to do the actual downloading and installation. Some of the Joomla! gurus can probably shed more light on it, or correct me where I'm wrong.

Re: installer and security

Posted: Sat Jan 05, 2008 3:25 pm
by RussW
As far as I am aware, I have not heard of the installer being vulnerable, most exploits and compromises come from poor permissions settings, vulnerable extensiosn themselves and lose PHP settings.