Should disabled modules be considered a security risk?

In light of this change

My question is; should a disabled module be called out as a security risk? In my case, i have disabled several modules I don’t want to use. As a result of this change, they are not getting updated. My dashboard is now calling them out as being a security risk…but they are disabled…so are they really as security risk?

IMHO, I think that disabled modules should not be considered security risks because they are not active and cannot be exploited…is this wrong?

Potentially possible to exploit a system with a disabled module, but highly unlikely with an official signed module from the FreePBX repo(s). There was an exploit a few years ago where a malicious user would install an unsigned, unpublished module on the system but leave it disabled, which allowed untrusted access to the system. That is a whole different level of risk, but an illustration of what’s possible. Ignoring disabled modules for security purposes would not be good practice.

Lorne, I guess this makes the recent change all the more puzzling. If you are saying that ALL modules should be upgraded, even disabled ones, and yet disabled modules will NOT be upgraded, then are you saying you should not disable modules?
Is there another way to upgrade a disabled module?

With the new framework you can now delete unused modules without seeing them come back again automatically. If you don’t wish to delete them, presumably to preserve existing config, then you will need to temporarily re-enable, upgrade then disable again.

Lorne, sorry, i missed that in the announcement…ok, so i can delete my disabled modules and not have to worry about the security…great.

thanks for clarifying!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.