[geeklog-devel] Hmm ...

[Dirk Haun]

Mark Howard wrote:


>I think this is sound security practice -

>eg. disable all potentially dangerous features, but go ahead and provide the

>ability to re-enable them through the configuration interface.


That's one way of looking at it. The other is that disabling something
after it was enabled by default previously sends a message to those that
want to use it - namely, that it's probably not a good idea to enable it.

As can be seen from the indecisive subject, I have no final opinion on
this yet ...

The exact quote from one of the WordPress people is:

>We have choosen to disable Atom Publishing Protocol and the variety of

>XML-RPC protocols by default as they expose a potential to be a

security risk.

That's very vague. You might as well just disable the entire website[1]
as it exposes a potential risk of SQL injections and XSS.

I thought that the "A Real Solution" section from the Red Sweater blog -
possible financial interest on their part aside - had some good points.
But maybe I only agree with them because it's what we're doing in 1.5.0 ;-)

bye, Dirk

[1] whatever software it's running on - this wasn't meant as a stab at
WordPress


-- 
http://www.haun-online.de/
http://spam.tinyweb.net/