[geeklog-devel] Hmm ...

Dirk Haun dirk at haun-online.de
Wed Jun 25 14:41:42 EDT 2008


Mark Howard wrote:

>I think this is sound security practice -
>eg. disable all potentially dangerous features, but go ahead and provide the
>ability to re-enable them through the configuration interface.

That's one way of looking at it. The other is that disabling something
after it was enabled by default previously sends a message to those that
want to use it - namely, that it's probably not a good idea to enable it.

As can be seen from the indecisive subject, I have no final opinion on
this yet ...

The exact quote from one of the WordPress people is:
>We have choosen to disable Atom Publishing Protocol and the variety of
>XML-RPC protocols by default as they expose a potential to be a
security risk.

That's very vague. You might as well just disable the entire website[1]
as it exposes a potential risk of SQL injections and XSS.

I thought that the "A Real Solution" section from the Red Sweater blog -
possible financial interest on their part aside - had some good points.
But maybe I only agree with them because it's what we're doing in 1.5.0 ;-)

bye, Dirk

[1] whatever software it's running on - this wasn't meant as a stab at
WordPress


-- 
http://www.haun-online.de/
http://spam.tinyweb.net/




More information about the geeklog-devel mailing list