[development] Remove PHP filter by default
Larry Garfield
larry at garfieldtech.com
Sun Jan 29 22:00:25 UTC 2006
On Sunday 29 January 2006 15:33, Morbus Iff wrote:
> > We have investigated the ways to become SU. in drupal 4.7 there are at
> > least 7 totally different ways of rooting (for becoming SU is that,
> > exactly) a drupal site. Nearly all are related to gaining PHP rights,
> > then using that to change
>
> I'm confused - how can a PHP input filter cause a user to become root,
> when PHP execs itself in the user space of the Apache process?
Not Unix root, but Drupal root.
<?php db_query("Update {users} set name='me', pass=md5('ownzed') where
uid=1"); ?>
View that page. Then log in as me/ownzed and you've just taken over UID 1.
(Above code may only work on MySQL, but I'm sure a postgres version is no more
difficult.)
I think that's the kind of thing people are worried about, and now that I
think about it so am I.
I think the simplest solution is just to move the PHP filter to a contrib
module. Those that want it can drop it in and enable it, while those that
don't need it don't have to worry about it.
--
Larry Garfield AIM: LOLG42
larry at garfieldtech.com ICQ: 6817012
"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson
More information about the development
mailing list