CMS Made Simple Forums

Hi

1.10.3 ModuleManager uses the standard XMLReader class. However I'm being prevented from upgrading to 1.10.3 from 1.9.4.3 because the hosting company is unwilling to enable this class. It says it is a security risk on a shared server. Are there any alternatives other than moving to a different hosting company or hosting plan?

Richard Williams

First of all its nonsense that XMLReader would be a security risk. It would more likely be a failure of the hosting provider to configure a decent and secure server.

I think the alternative would be to not use Module Manager and update or install all modules manually using the tar.gz file.

it's best to either convince the hosting company that they're wrong:

- How can a class that just reads data from <anywhere> and parses it as XML be a security risk. I've seen some stupidity by hosting companies before, but this is pretty close to the top.

It's more likely they locked it down because of some vulnerability in some other package... again, dumb move.

Or find a new host. Besides, it's not just the ModuleManager that uses the XmlReader stuff (the core uses it if you want to upload an xml file) and some modules use it.

Thanks for the advice. I don't particularly want to change hosting company. I've thought of another possible solution but don't know cmsmadesimple well enough to know if there are any hidden consequences.

I have a private in-house Linux server that I use for development purposes and I know that 1.10.3 works well here. What I've thought of doing is to backup my development site and re-create the 'live' 1.9.4.3 system in-house from the site and MySQL backups I took before attempting the upgrade to 1.10.3. Then I'll upgrade the development site to 1.10.3, ensuring all the modules I use on the live system are brought up to date. The last step will be to copy this system (including the database) back to the 'live' server with the exception of the config.inc.php file.

The one drawback I can see is that I'll have to repeat this process any time I want to do another upgrade or install new modules from an XML file. The site itself isn't at all complicated and only uses a few extra modules such as CGExtensions, FEU and Gallery and their dependencies. I'm not aware of using any modules that use XML other than the Module Manager. Are there any other drawbacks to this method that I haven't spotted?

Richard Williams.

I'm not shure but I think CMSMS uses XMLReader as far back to at least CMS1.5. Why would it be a problem now but not before?
I also can give you a very good reason to change hosting provider: They are unwilling to help you with a very simple and wide used class that is available on virtually every other hosting provider in the world.

Maybe your trick with copying the complete website would work, but this shouldn't be your problem at all. It's your hosting providers problem. They have to solve it. You can try, but then you are on your own. We are not going to solve the problems of an incapable hosting provider on this forum.

My idea of copying from another server didn't work. It looked as if it was going to, then I found Smarty errors on pages using FEU. As a result, the live site is now back on 1.9.4.3. I'm still trying to find out why the hosting company won't enable XMLReader.

Richard Williams