[drupal-support] Multi-site's gaping security hole
Bill Fitzgerald
bill at funnymonkeydata.com
Tue Oct 25 13:01:01 UTC 2005
I could be wrong on this (but I really hope I'm not) --
This hole would only exist if php was allowed via the input formats. If
php code was only allowed for VERY TRUSTED users, this should become a
non-issue.
I'd love to get some feedback on this, because if I am wrong on this,
this could be a pretty big vulnerability that could undermine the
practical usefulness of multi-site installs.
Bill.
Steve Dondley wrote:
>On a multi-site set up, it's a trivial matter for someone to create a
>node with some PHP code that takes a peak at another site's
>settings.php file. Example:
>
><?php
>
>$file = file ( 'sites/example.com/settings.php' );
>
>foreach ($file as $key => $line) {
> print $line;
> print "<br />";
>}
>
>?>
>
>What's the best practice for eliminating this problem?
>
>
>--
>Dondley Communications
>http://www.dondleycommunications.com
>
>Communicate or Die: American Labor Unions and the Internet
>http://www.communicateordie.com
>
>
More information about the drupal-support
mailing list