30 Jan
2006
30 Jan
'06
1:18 a.m.
On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
<?php db_query("Update {users} set name='me', pass=md5('ownzed') where uid=1"); ?>
It's not just that site either. A php page can open up all the settings.php files in sites/* and change the passwords for ANY of your sites. So a single person on large multisite install could compromise ALL the sites. FYI: i set db credentials in the virtual host entry using setenv, so that it is only defined for that session. -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com