[support] Very Strange Security Breach
Greg Knaddison
Greg at GrowingVentureSolutions.com
Fri Dec 17 17:58:13 UTC 2010
On Fri, Dec 17, 2010 at 10:19 AM, Marc Poris <marc at funnymonkey.com> wrote:
>> The idea that "uid1 = unsafe" is a security myth that needs to die.
>> There are other more likely avenues of attack such as incorrectly
>> configured input formats.
>
> There are plenty of contrib modules that check for uid == 1 and dole out additional privileges, so while Drupal core may only check for uid == 1 in user_access() and user_register_submit(), your site is only as secure as your weakest contrib module.
>
Sure, and I've even used that fact to set the 'access arguments' on a
menu item to be <? array("something that doesn't exist"), ?> so that
only UID 1 can access that callback, however:
1. In a quick review it seems all the examples you showed could also
be accessed with the right roles/permissions and my argument was that
someone with "administer users" and "administer permissions" can
already grant whatever things they need to get access to that feature.
2. Someone with those permissions can easily escalate themselves to
become uid1 by enabling some module that executes PHP and then
creating a snippet like <?php global $user; $user = user_load(1); ?>
Aside from Bill's followup about splitting administration roles
(totally agree there, great point) but my claim is:
>From a security perspective, there is no difference between UID 1 and
someone who has a role "administer users" and/or "administer
permissions."
Cheers,
Greg
More information about the support
mailing list