Closed aggie96 closed 6 years ago
The only way I could conceivably see that happening is if (and all of the following would need to occur):
While step 2 wouldn't be that difficult, steps 1 and 3 would not be easy to pull off in tandem.
First of all, I'm assuming finding a 0day in FSRM would take some serious effort, but then they'd also have to get it past our manual approval process. Every single submitted extension has to be manually approved (almost solely by me) so they'd have to some how figure out a way to make a 0day look like a legitimate extension that also just happened to be malicious.
Is it impossible? No, I guess it's not impossible, but it would be EXTREMELY difficult.
I have the scripts running on our servers on a daily basis. Just curious if I am putting too much trust into this system's protection from attack. e.g. Could someone insert code into the extension list that is automatically downloaded and hijack the script, similar to a SQL injection attack?
Thanks, Mark