thanks for the heads up mate. thats a great module.<br><br><div class="gmail_quote">On Fri, Dec 17, 2010 at 4:47 PM, Ryan LeTulle <span dir="ltr"><<a href="mailto:bayousoft@gmail.com">bayousoft@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
For those interested, you can test your input formats against security</blockquote><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
best practices by trying out <a href="http://drupal.org/project/security_review" target="_blank">http://drupal.org/project/security_review</a></blockquote><div><br></div></div><div>nice, thanks</div><div><br></div>:ryan<br>
<br>
<a href="http://www.bayousoft.com" target="_blank">bayousoft.com</a><br><a href="http://www.twitter.com/bayousoft" target="_blank">twitter.com/bayousoft</a><div><div></div><div class="h5"><br><br><br><br>
<br><br><div class="gmail_quote">On Fri, Dec 17, 2010 at 10:10 AM, Greg Knaddison <span dir="ltr"><<a href="mailto:Greg@growingventuresolutions.com" target="_blank">Greg@growingventuresolutions.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald <<a href="mailto:bill@funnymonkey.com" target="_blank">bill@funnymonkey.com</a>> wrote:<br>
> * What roles have "administer comments" rights?<br>
> * Are there any VBO-based comments administration views on the site?<br>
> * How secure is the site's database? Is root access still available? If so,<br>
> is the password secure?<br>
> * Is phpMyAdmin installed on the site? That can be a weak spot.<br>
> * Do the Apache logs from the time of the breach show anything odd/curious ?<br>
<br>
</div>All sage advice and good questions.<br>
<div><br>
> Also, at the risk of stating the obvious, I'd strongly recommend creating a<br>
> superuser role and retiring your UID1 account for everything but<br>
> upgrades/updates.<br>
<br>
</div>I think it's not so obvious and not really useful. If the "superuser<br>
role" has the permission to "administer users" or "administer<br>
permissions" then any user in that role has the exact same permissions<br>
as UID1. The only difference is, as you state running update.php (in<br>
D7 that distinction is gone - anyone with the right permission can run<br>
update.php).<br>
<br>
The idea that "uid1 = unsafe" is a security myth that needs to die.<br>
There are other more likely avenues of attack such as incorrectly<br>
configured input formats.<br>
<br>
For those interested, you can test your input formats against security<br>
best practices by trying out <a href="http://drupal.org/project/security_review" target="_blank">http://drupal.org/project/security_review</a><br>
<br>
Cheers,<br>
<font color="#888888">Greg<br>
</font><div><div></div><div>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
</div></div></blockquote></div><br>
</div></div><br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>--<br>Steve Power<br>Principal Consultant<br>Mobile: +44 (0) 7747 027 243<div>
Fax: +44 (0)160 421 2871<br>Skype: steev_initsix<br><a href="http://www.initsix.co.uk" target="_blank">www.initsix.co.uk</a> :: Initsix Heavy Engineering Limited<br>--<br>This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Initsix Heavy Engineering Limited.<br>
If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone.<br>Please contact the sender if you believe you have received this email in error.<br>
<br>Initsix Heavy Engineering Limited<br>Registered in the UK: 5036938<br>Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England. </div><br>