Contrib.social

Document on projct page why this module is marked as "insecure"

Open on Drupal.org โ†’
Created on 28 January 2022, almost 3 years ago
Updated 18 April 2024, 9 months ago

Will there be an update to use this module safely in D9. I get a warning in D9.3.3 to update, but there is no newer version than 1.1?

The short answer is "no". Read this thread to learn why.

Proposed solution

Add a note to the project page that says up front that the "Insecure" warning is by design, and will not be removed or fixed.

๐Ÿ“Œ Task
Status

Fixed

Version

1.1

Component

Documentation

Created by

nojj

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 10 months ago โ†’
    ๐Ÿ‡ญ๐Ÿ‡บHungary Gรกbor Hojtsy Hungary

    Added this to the project page:

    Warning

    Enabling this module can cause security and performance issues as it allows users to execute PHP code on your site. A much better alternative is creating custom modules for the things you embedded PHP for previously. Such as a custom module defining a block with your own code โ†’ , rather than a custom block with PHP in it.

    The module may break your site

    The module has no way to validate the PHP code before executing it. When using the PHP filter, it is very easy to input incorrect code to the page that leads to WSOD (white screen of death) problems, when interpreting the PHP code leads to fatal errors and nothing is displayed on the page. It is very easy to get into this situation and may require direct access to the server to get out of it.

    The module exposes all website data to users with permission to use it

    Any user with permission to use the filter will be able to access all data available to Drupal. It is not possible to limit access to personal data or private information or unpublished content for users that have permission to use this filter. Even with many secured servers, it may be possible to scan the server for additional files. If you can read the settings.php file of another Drupal installation, then you will be able to access its database as well.

    The module gives very wide access to the server filesystem and executables

    Any user with permission to use the filter will be able to run executables through PHP and access and modify all files that the webserver user has access to. With this access, there are a million ways to take control of the site or server.

    The module makes other security issues a lot more dangerous

    For example, if any of your components have cross site scripting (XSS) issues on pages that also have PHP input capability, that means the XSS is escalated to potential to fully compromise the data and even the whole server, giving access to personal data to hackers.

    Your site may become a spam source

    A frequent goal of a hacker is to use your server to send spam. Gaining access to PHP will allow the user to send emails at will.

    I think this takes care of it?

  • Comment 9 months ago โ†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024