DRUPAL: is it safe ? / cron.php?
is drupal vulnerable under开发者_JAVA技巧 some aspect ? Or is it in general a secure CMS ?
What about the cron.php. Can it be overloaded ?
thanks
Drupal is relatively secure in general, but vulnerabilities pop up regularly as with any web application now and then. Make sure to monitor the Security advisories and react to any flaws reported there for core and contributed modules you use (you can get these via mail by subscribing to the newsletter on your Drupal.org account pages).
As for cron.php, a default Drupal install does not protect it from being called by anyone directly, thus exposing some DOS risk, but you can shield it pretty easily by limiting access to it via .htaccess rules - see http://drupal.org/node/41049 for some discussion on it (Don't sweat this - cron.php will not expose any data by itself).
Drupal is in general quite safe. Just be sure to check for updates and install them. (You'll get a notice if there's a new update if you log in as an admin to your site.) cron.php is responsible for site maintenance and update checking. Have a look at this thread from the drupal forums http://drupal.org/node/41049 where a similar question was posed.
Drupal is used everywhere and is proven and professional. Anyone can introduce security vulnerabilities if they try hard enough, so make sure you don't do anything stupid.
If a security flaw was exposed in Drupal, the community would have picked it up within hours and probably issue an update within the same day or two. You really have nothing to worry about, and if hackers did want to target a Drupal site, they'd probably choose a higher-profile one.
Drupal has a good security team and community and many new security features are appearing in the next release (7) - but in theory having anonymous users able to call cron.php (in ver 6) is a security risk and presents a minor DDOS risk. But it is easily protected in the .htaccess (as mentioned by Henrik Opel ) - I use that method too with adaptations for other sensitive files . The good news is that it is being protected by a hash in Drupal 7 see Slide 26 in this presentation (http://code4lib.org/files/drupal7-c4l10.pdf)
精彩评论