Announcements

Modules and Security


Posted: January 19, 2007 by signex

Yesterday I made an entry about CMSMS getting bigger and having a fair amount of users. Now, there is also a downside to this. Getting more attention will also attract hackers, knowing when they can get into one CMSMS website they can get into a lot more. However, the development of the core is done by a of couple great developers. I don't think the CMS Made Simple core would get into a lot of problems when getting bigger and having more users. Also, they would be releasing patches quickly when serious security holes would occur. But how about the modules? And I'm not talking about the much used modules as they will grow and get updated with the core system because so many people use them. But the more unknown modules which don't get updated very often. Those modules will probably cause potential security risks in the future, since scripting never stands still and new vulnerabilities get discovered every now and then. Now we all know that using GPL/Open source software comes without warranties, and using it is at your own risk, but when old modules get security issues CMSMS gets blamed, or at least associated with the vulnerability. This is kinda the way Joomla got his bad name in my opinion. Joomla as a clean install combined with decent chmodding is pretty safe, but with so many 3rd party modules its hard to keep track of what's safe to use and what's not, maybe not for the hardcore coders between us but it is for many others. So what would be a good way to "protect users" against the risk of using older not updated modules? Maybe a new module category in the forge called "Not updated in the last 12 months - could have potential security risks and/or isn't compatible with new core systems" and automatically put all the modules in there which have not been updated in the last 12 months. I'm really interested in how other people think about the module security. Am I just paranoid or could these thoughts be potential ideas? Drop your thoughts in the comments! Regards Signex / Benjamin

Our Partners: