[development] let's cleanup /misc
Darrel O'Pry
dopry at thing.net
Wed Jan 11 21:37:11 UTC 2006
On Wed, 2006-01-11 at 22:13 +0100, Gabor Hojtsy wrote:
> Darrel O'Pry wrote:
> > to settings.php. settings.php is the only file in drupal that has the
> > potential to be a security problem if its contents are exposed...
>
> Darrel, any module or theme source file could be a security problem if
> exposed. You can directly inspect the source code, identify versions, or
> in case of custom code, examine weaknesses. Any identified publicly
> available module can possibly contain weaknesses.
>
> Goba
I can infer the version of drupal you are running by the feature set,
then examine the code in CVS all day, or night as is my leisure. In the
case of custom code, well that's on the developer who wrote it. Although
I think XSS is a far more likely way to get my db goodies than
accidentally exposing my settings.php. :)
Versions can be inferred from features. Authentication information is a
security breach which compromises everything.
More information about the development
mailing list