Question: Can the extension list be hijacked with a type of "SQL injection" attack?

[aggie96]

I have the scripts running on our servers on a daily basis. Just curious if I am putting too much trust into this system's protection from attack. e.g. Could someone insert code into the extension list that is automatically downloaded and hijack the script, similar to a SQL injection attack?

Thanks, Mark

[nexxai]

The only way I could conceivably see that happening is if (and all of the following would need to occur):

1. Someone finds a 0day in the import feature of FSRM
2. Someone submits an extension to the list that includes the 0day as the extension
3. We manually view and approve the extension to the list

While step 2 wouldn't be that difficult, steps 1 and 3 would not be easy to pull off in tandem.

First of all, I'm assuming finding a 0day in FSRM would take some serious effort, but then they'd also have to get it past our manual approval process. Every single submitted extension has to be manually approved (almost solely by me) so they'd have to some how figure out a way to make a 0day look like a legitimate extension that also just happened to be malicious.

Is it impossible? No, I guess it's not impossible, but it would be EXTREMELY difficult.