[prev in list] [next in list] [prev in thread] [next in thread]
List: drupal-development
Subject: [development] Remove PHP filter by default
From: dopry () thing ! net (Darrel O'Pry)
Date: 2006-01-31 21:20:13
Message-ID: 1138742403.6894.8.camel () localhost ! localdomain
[Download RAW message or body]
got a formula for that... Thats a hot one.
On Mon, 2006-01-30 at 02:18 +0200, Adrian Rossouw wrote:
> On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
> >
> > <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> > uid=1"); ?>
>
> It's not just that site either.
>
> A php page can open up all the settings.php files in sites/* and
> change the passwords
> for ANY of your sites.
>
> So a single person on large multisite install could compromise ALL
> the sites.
>
> FYI: i set db credentials in the virtual host entry using setenv, so
> that it is only defined
> for that session.
>
> --
> Adrian Rossouw
> Drupal developer and Bryght Guy
> http://drupal.org | http://bryght.com
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic