> An "ftp style install" is not typical at any company I've been at
I am glad for you -- as I mentioned, it is possible to have secure PHP installation, and apparently your company does this. But unfortunately, there are many people who just want to get app going as fast as possible -- and thus often end up with "ftp style" install.
Let's look at Wordpress: searching for "install wordpress" brings me here: https://codex.wordpress.org/Installing_WordPress#Famous_5-Mi... , which says "Upload the WordPress files to the desired location on your web server" and "Run the WordPress installation script by accessing the URL in a web browser." -- typical "ftp style install"
Joomla install even talks about ftp clients! https://docs.joomla.org/J3.x:Installing_Joomla
> Most (good) exploits are executable code in the database, and not even visible (unless you know where to look). That also applies to Javascript/Python/C/etc that would survive docker containers and horizontally scaled servers.
Sure, exploits happen. But the question is: will they persist? Your code might have database-driven XSS or RCE bug, but hopefully this will be noticed and fixed -- and once you will install latest version, those database records would be ignored/rendered inert, and your system is clean.
.. that is, unless you were running Wordpress installed in a recommended way. There, once you are exploited once, you can click on "upgrade" in admin.php as much as you want, but your system will stay exploited forever.
But luckily, things are improving. I remember trying to install ownCloud few years ago, and it really wanted its code dir to be writeable. I just checked their website today, and they offer Docker install now -- this is great! Unfortunately, there is still a ton of existing PHP apps which rely on being able to modify their own code.
from Hacker News - New Comments: "WordPress" http://bit.ly/2EQ4OVw
via IFTTT
No comments:
Post a Comment