30 Jan
2006
30 Jan
'06
2:52 a.m.
Adrian Rossouw wrote:
On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
<?php db_query("Update {users} set name='me', pass=md5('ownzed') where uid=1"); ?>
It's not just that site either.
A php page can open up all the settings.php files in sites/* and change the passwords for ANY of your sites.
If your site is running unmodified mod_php you are in for a few more surprises. =:) Cheers, Gerhard