<blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
For those interested, you can test your input formats against security</blockquote><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
best practices by trying out <a href="http://drupal.org/project/security_review" target="_blank">http://drupal.org/project/security_review</a></blockquote><div><br></div><div>nice, thanks</div><div><br></div>:ryan<br><br>
<a href="http://www.bayousoft.com" target="_blank">bayousoft.com</a><br><a href="http://www.twitter.com/bayousoft" target="_blank">twitter.com/bayousoft</a><br><br><br><br>
<br><br><div class="gmail_quote">On Fri, Dec 17, 2010 at 10:10 AM, Greg Knaddison <span dir="ltr"><<a href="mailto:Greg@growingventuresolutions.com">Greg@growingventuresolutions.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald <<a href="mailto:bill@funnymonkey.com">bill@funnymonkey.com</a>> wrote:<br>
> * What roles have "administer comments" rights?<br>
> * Are there any VBO-based comments administration views on the site?<br>
> * How secure is the site's database? Is root access still available? If so,<br>
> is the password secure?<br>
> * Is phpMyAdmin installed on the site? That can be a weak spot.<br>
> * Do the Apache logs from the time of the breach show anything odd/curious ?<br>
<br>
</div>All sage advice and good questions.<br>
<div class="im"><br>
> Also, at the risk of stating the obvious, I'd strongly recommend creating a<br>
> superuser role and retiring your UID1 account for everything but<br>
> upgrades/updates.<br>
<br>
</div>I think it's not so obvious and not really useful. If the "superuser<br>
role" has the permission to "administer users" or "administer<br>
permissions" then any user in that role has the exact same permissions<br>
as UID1. The only difference is, as you state running update.php (in<br>
D7 that distinction is gone - anyone with the right permission can run<br>
update.php).<br>
<br>
The idea that "uid1 = unsafe" is a security myth that needs to die.<br>
There are other more likely avenues of attack such as incorrectly<br>
configured input formats.<br>
<br>
For those interested, you can test your input formats against security<br>
best practices by trying out <a href="http://drupal.org/project/security_review" target="_blank">http://drupal.org/project/security_review</a><br>
<br>
Cheers,<br>
<font color="#888888">Greg<br>
</font><div><div></div><div class="h5">--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
</div></div></blockquote></div><br>