[support] Very Strange Security Breach

Fri Dec 17 16:57:12 UTC 2010

thanks for the heads up mate.  thats a great module.

On Fri, Dec 17, 2010 at 4:47 PM, Ryan LeTulle <bayousoft at gmail.com> wrote:

> For those interested, you can test your input formats against security
>
> best practices by trying out http://drupal.org/project/security_review
>
>
> nice, thanks
>
> :ryan
>
> bayousoft.com <http://www.bayousoft.com>
> twitter.com/bayousoft <http://www.twitter.com/bayousoft>
>
>
>
>
>
>
> On Fri, Dec 17, 2010 at 10:10 AM, Greg Knaddison <
> Greg at growingventuresolutions.com> wrote:
>
>> On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald <bill at funnymonkey.com>
>> wrote:
>> > * What roles have "administer comments" rights?
>> > * Are there any VBO-based comments administration views on the site?
>> > * How secure is the site's database? Is root access still available? If
>> so,
>> > is the password secure?
>> > * Is phpMyAdmin installed on the site? That can be a weak spot.
>> > * Do the Apache logs from the time of the breach show anything
>> odd/curious ?
>>
>> All sage advice and good questions.
>>
>> > Also, at the risk of stating the obvious, I'd strongly recommend
>> creating a
>> > superuser role and retiring your UID1 account for everything but
>> > upgrades/updates.
>>
>> I think it's not so obvious and not really useful. If the "superuser
>> role" has the permission to "administer users" or "administer
>> permissions" then any user in that role has the exact same permissions
>> as UID1. The only difference is, as you state running update.php (in
>> D7 that distinction is gone - anyone with the right permission can run
>> update.php).
>>
>> The idea that "uid1 = unsafe" is a security myth that needs to die.
>> There are other more likely avenues of attack such as incorrectly
>> configured input formats.
>>
>> For those interested, you can test your input formats against security
>> best practices by trying out http://drupal.org/project/security_review
>>
>> Cheers,
>> Greg
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>>
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>

-- 
-- 
--
Steve Power
Principal Consultant
Mobile: +44 (0) 7747 027 243
Fax: +44 (0)160 421 2871
Skype: steev_initsix
www.initsix.co.uk :: Initsix Heavy Engineering Limited
--
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Initsix Heavy Engineering Limited.
If you are not the intended recipient of this email, you must neither take
any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error.

Initsix Heavy Engineering Limited
Registered in the UK: 5036938
Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20101217/840c1156/attachment.html 