'[development] Remove PHP filter by default'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       drupal-development
Subject:    [development] Remove PHP filter by default
From:       dopry () thing ! net (Darrel O'Pry)
Date:       2006-01-31 21:20:13
Message-ID: 1138742403.6894.8.camel () localhost ! localdomain
[Download RAW message or body]

got a formula for that... Thats a hot one.

On Mon, 2006-01-30 at 02:18 +0200, Adrian Rossouw wrote:
> On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
> >
> > <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> > uid=1"); ?>
> 
> It's not just that site either.
> 
> A php page can open up all the settings.php files in sites/* and  
> change the passwords
> for ANY of your sites.
> 
> So a single person on large multisite install could compromise ALL  
> the sites.
> 
> FYI: i set db credentials in the virtual host entry using setenv, so  
> that it is only defined
> for that session.
> 
> --
> Adrian Rossouw
> Drupal developer and Bryght Guy
> http://drupal.org | http://bryght.com
> 
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic