I could be wrong on this (but I really hope I'm not) --
This hole would only exist if php was allowed via the input formats. If php code was only allowed for VERY TRUSTED users, this should become a non-issue.
I'd love to get some feedback on this, because if I am wrong on this, this could be a pretty big vulnerability that could undermine the practical usefulness of multi-site installs.
Bill. Steve Dondley wrote:
On a multi-site set up, it's a trivial matter for someone to create a node with some PHP code that takes a peak at another site's settings.php file. Example:
<?php $file = file ( 'sites/example.com/settings.php' ); foreach ($file as $key => $line) { print $line; print "<br />"; } ?>
What's the best practice for eliminating this problem?
-- Dondley Communications http://www.dondleycommunications.com
Communicate or Die: American Labor Unions and the Internet http://www.communicateordie.com