Hi Kyle, let's make some analysis and maybe we'll agree on agreeing. :-)
- Drupal has it's own view of virtual hosting (sites). Each site has to be configured with files in different directives. If no site is configured the default configuration applies to all sites. So you don't really have all sites vulnerable with the default debian install. You just have one site that is available on different virtual hosts (www.foo.com/drupal5 is just the same as www.bar.com/drupal5). There is no vulnerability multiplication.
- Virtual hosting itself is not a secure way to separate 'data domains'. Since all virtual hosts run in the same webserver process with the same rights, exploiting an hole in one virtual hosts usually leads to access all other virtual hosts. Obviously this is true only for serious holes. Trivial holes like SQL injection only apply to the single webapp database. See previous point for this: if drupal5 is vulnerable to SQL injection the default debian install will only make the single site vulnerable. On the other hand, if the vulnerability leads to file system access or, worse, to arbitrary code execution other virtual hosts will not be protected any way.
So again this is, as usual, a compromise between security and ease-of- use. I choose not to provide any third-party module for drupal in debian package, avoiding security issues in those modules. At the same time I choose to make it easy for unexperienced people to set up a drupal site as experienced admins would always know how to trim access down to their own needs. The same choice applies to many other packages in debian (think phpmyadmin, phppgadmin, acidbase and any package using wwwconfig-common).
Hope I could make ti more clear to you. :-) Regards, L -- Luigi Gangitano -- <[EMAIL PROTECTED]> -- <[EMAIL PROTECTED]> GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
