[support] Very Strange Security Breach

[Ryan LeTulle]

>
> For those interested, you can test your input formats against security

best practices by trying out http://drupal.org/project/security_review


nice, thanks

:ryan

bayousoft.com <http://www.bayousoft.com>
twitter.com/bayousoft <http://www.twitter.com/bayousoft>





On Fri, Dec 17, 2010 at 10:10 AM, Greg Knaddison <
Greg at growingventuresolutions.com> wrote:

> On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald <bill at funnymonkey.com>
> wrote:
> > * What roles have "administer comments" rights?
> > * Are there any VBO-based comments administration views on the site?
> > * How secure is the site's database? Is root access still available? If
> so,
> > is the password secure?
> > * Is phpMyAdmin installed on the site? That can be a weak spot.
> > * Do the Apache logs from the time of the breach show anything
> odd/curious ?
>
> All sage advice and good questions.
>
> > Also, at the risk of stating the obvious, I'd strongly recommend creating
> a
> > superuser role and retiring your UID1 account for everything but
> > upgrades/updates.
>
> I think it's not so obvious and not really useful. If the "superuser
> role" has the permission to "administer users" or "administer
> permissions" then any user in that role has the exact same permissions
> as UID1. The only difference is, as you state running update.php (in
> D7 that distinction is gone - anyone with the right permission can run
> update.php).
>
> The idea that "uid1 = unsafe" is a security myth that needs to die.
> There are other more likely avenues of attack such as incorrectly
> configured input formats.
>
> For those interested, you can test your input formats against security
> best practices by trying out http://drupal.org/project/security_review
>
> Cheers,
> Greg
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20101217/3a23c370/attachment.html