> last time I dealt with Drupal (back in 5 and 6 days), it would actively complain if it could write to its own directory,
That's great, but if you remember drupalgeddon, the attack vector (sql injection) used the url routing system, which very conveniently would map a path to any php function + arguments. Ugh.
SQL Insert a call to php's eval + the code of your choice as the args and voila, SQL injection becomes rce instantly.
I can understand a CMS having read write access to the database, the main benefit is to update the content of course. But mapping paths to executable code, straight into the database is a highly dubious choice.
That's great, but if you remember drupalgeddon, the attack vector (sql injection) used the url routing system, which very conveniently would map a path to any php function + arguments. Ugh.
SQL Insert a call to php's eval + the code of your choice as the args and voila, SQL injection becomes rce instantly.
I can understand a CMS having read write access to the database, the main benefit is to update the content of course. But mapping paths to executable code, straight into the database is a highly dubious choice.