31 Jan
2006
31 Jan
'06
10:20 p.m.
got a formula for that... Thats a hot one. On Mon, 2006-01-30 at 02:18 +0200, Adrian Rossouw wrote:
On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
<?php db_query("Update {users} set name='me', pass=md5('ownzed') where uid=1"); ?>
It's not just that site either.
A php page can open up all the settings.php files in sites/* and change the passwords for ANY of your sites.
So a single person on large multisite install could compromise ALL the sites.
FYI: i set db credentials in the virtual host entry using setenv, so that it is only defined for that session.
-- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com