We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
#4762 - Critical Security Vulnerability in Composr CMS
Automated response: Explain that administrative accounts can control web hosting
Some people may be naive and provide web hosting for a Composr site, without realizing they are effectively giving any administrator of that site control of their hosting.
This is not unique to Composr by any means. Web interface installation of PHP-based addons is a very common feature in CMS and forum software, and a necessary process for the audience Composr is targeted for. Composr goes further with a remote shell, but there's no escalation because the same could be achieved by uploading malicious addons.
Just document this in the installation tutorial to make sure it is understood by those who do their research.
Some people may be naive and provide web hosting for a Composr site, without realizing they are effectively giving any administrator of that site control of their hosting.
This is not unique to Composr by any means. Web interface installation of PHP-based addons is a very common feature in CMS and forum software, and a necessary process for the audience Composr is targeted for. Composr goes further with a remote shell, but there's no escalation because the same could be achieved by uploading malicious addons.
Just document this in the installation tutorial to make sure it is understood by those who do their research.