What kind of potential security risk it raises if I left $update_access_free = TRUE in Drupal on a production environment? In that case, everyone can run update.php. Assuming there are no updates available, what can an attacker do?
views:
69answers:
3
+8
A:
If left enabled, an attacker could run old updates, which in a good scenario would only bog down your site's performance, but in a worst-case scenario could result in data loss or data corruption.
jhedstrom
2010-10-13 17:47:44
A:
I wouldn't even allow access as it is unnecessary.
Someone could constantly access and run this page, using system resources.
Kevin
2010-10-13 17:49:25
A:
If what you are looking for is a way to easily update your site, you should add a cron job with a Drush command to update the site at mid night. Now, from time to time developers release module fixes or upgrade that might brake something on your site. Hopefully in Drupal 7 the update can be done using the site interface and I am sure there might be some sort of console module to keep multiple sites update.
redhatlab
2010-10-17 04:09:49
Not really. I was curious what security risk it raises if I accidentally left `$update_access_free` enabled. But it's a good point that it's a real problem when automatic site update is configured.
Török Gábor
2010-10-17 07:48:10