[support] Very Strange Security Breach
Greg Knaddison
Greg at GrowingVentureSolutions.com
Fri Dec 17 16:10:20 UTC 2010
On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald <bill at funnymonkey.com> wrote:
> * What roles have "administer comments" rights?
> * Are there any VBO-based comments administration views on the site?
> * How secure is the site's database? Is root access still available? If so,
> is the password secure?
> * Is phpMyAdmin installed on the site? That can be a weak spot.
> * Do the Apache logs from the time of the breach show anything odd/curious ?
All sage advice and good questions.
> Also, at the risk of stating the obvious, I'd strongly recommend creating a
> superuser role and retiring your UID1 account for everything but
> upgrades/updates.
I think it's not so obvious and not really useful. If the "superuser
role" has the permission to "administer users" or "administer
permissions" then any user in that role has the exact same permissions
as UID1. The only difference is, as you state running update.php (in
D7 that distinction is gone - anyone with the right permission can run
update.php).
The idea that "uid1 = unsafe" is a security myth that needs to die.
There are other more likely avenues of attack such as incorrectly
configured input formats.
For those interested, you can test your input formats against security
best practices by trying out http://drupal.org/project/security_review
Cheers,
Greg
More information about the support
mailing list