Updating drupal modules
With the modules or themes writable by the server, it could allow an attacker to inject PHP code into currently installed modules and/or themes.
If done skillfully (or, more likely, when someone skillfully writes a script for the kiddiez), the site owner and visitors would not see any change to the site, but the malicious code would run on every page load - for example, having the site send out a few spam messages, or pulling the plain-text password from the login form.
Check out the link mentioned to learn more about the effort, would love your input on how to accomplish this big usability improvement. Jacob This would be just great -- a relatively simple way to perform updates.
Funny, but I was just on the phone this AM with Alex Lindahl of Acquia about my interest in handling this sort of thing on my own, as a site owner (rather than paying for external support to do this, as I'm doing now).
I’ve entered the D7 ux fray, specifically focusing my generous amount of Acquia community time on getting a project called the Plugin Manager spruced up and into core.
For more background on the effort, see: Plugin Manager in Core (part 1).
So we were looking at the issue that came up when we did a search for our error in Google, it mentioned something about the Dev. So let's go ahead and upgrade to the Development version of the Module, and see if this problem has been fixed there.
Ask for ssh/ftp credentials every time, so someone with knowledge of ftp/ssh has to do the action 4.
This still seems good to me, plus it's a big win for drupal hosting focused companies, and still maintains a higher standard of security (as I understand it).
That said, you should take a look at how Aegir displays these sorts of details, it's a great inspiration to draw from.
Don't know if you heard about it, but VAserv was hacked hard this weekend.
I had a VPS that was among the casualties there, so maybe I'm a little more sensitive to these issues right now, but I'd like security to be (remain? Hi Kirk, Please click through the 2nd round wireframes, or go visit this issue at d.o.