How can the installer be trusted?
Many customers are understandably cautious about entering their FTP username and password into the CGI installer. The following points may be worth considering:
The CGI installer has been running every day since August, 1999. It has installed to thousands of web sites. There has never been a complaint about a security breach due to the installer.
This site, xav.com, runs an unmoderated public forum and so it would be easy for anyone to lodge complaints and have them visible publicly.
Under many server configurations, a CGI script executes with privileges equal to the account owner. Thus, when you install a CGI script from somebody, you are already giving their script freedom to do anything it wants with your account.
In this sense, if you trust Fluid Dynamics enough to run their software, then you may as well trust them with your account credentials, because the security considerations are very similar.
All scripts are offered as a download. The auto-installer is an option for those who need it, but it is only an option.
If you have any concerns about privacy, you may contact Fluid Dynamics.
What risks are involved?
It is possible that your username and password could be compromised under the following conditions:
If somebody is running a packet sniffing tool or other tracing tool on the network, then they may "see" all of the data passing between your computer and the installer, and between the installer and your web server. This data would include your username and password.
In practice, this could be done only by users on the local network where your computer resides, or by network administrators on any of the networks between your computer, the installer, and your web server.
If you normally author your web site with FTP or another clear-text authoring tool, then the local users on your network and the network admins for your web server will already be able to discover your credentials in this way, and so using the auto-installer will not increase your risk significantly.
If somebody were to hack the xav.com server and compromise the install.cgi code, then it could be made to extract your username and password during the install. This server is locked down fairly tight and the code is constantly reviewed, but this still remains a theoretical possibility.
Note that all downloaded software is susceptible to the general risk of somebody hacking the download server and compromising the sources.
How to minimize the risks
Change your password after the install completes.
Use the SSL version of the installer running at https://www.xav.com/.
Perform a manual install.
"How can the installer be trusted?" http://www.xav.com/scripts/installer/3053.html