[support] Very Strange Security Breach
Marc Poris
marc at funnymonkey.com
Fri Dec 17 17:19:30 UTC 2010
> The idea that "uid1 = unsafe" is a security myth that needs to die.
> There are other more likely avenues of attack such as incorrectly
> configured input formats.
There are plenty of contrib modules that check for uid == 1 and dole out additional privileges, so while Drupal core may only check for uid == 1 in user_access() and user_register_submit(), your site is only as secure as your weakest contrib module.
Here are three examples of (uid == 1) checks from a site I'm looking at now (and I'm sure you can find a module or two that I've contributed where I've done the same thing):
>From workflow.module:
function workflow_field_choices($node) {
...
if ($user->uid == 1) {
// Superuser is special.
$roles = 'ALL';
}
...
}
>From flag module's flag.inc:
function user_access($account = NULL) {
if (!isset($account)) {
$account = $GLOBALS['user'];
}
$matched_roles = array_intersect($this->roles, array_keys($account->roles));
return !empty($matched_roles) || empty($this->roles) || $account->uid == 1;
}
>From drupad.module:
function drupad_authorize() {
global $user;
if (!strstr($_SERVER['HTTP_USER_AGENT'], 'Drupad')) {
return FALSE;
}
if ($user->uid == 0) {
return FALSE;
}
if (user_access('use Drupad application')) {
return TRUE;
}
if ($user->uid == 1) {
return TRUE;
}
if (arg(0) == 'drupad') {
drupad_unauthorized();
}
return FALSE;
}
- Marc
More information about the support
mailing list