[development] Remove PHP filter by default

Larry Garfield larry at garfieldtech.com
Sun Jan 29 22:00:25 UTC 2006


On Sunday 29 January 2006 15:33, Morbus Iff wrote:
> > We have investigated the ways to become SU. in drupal 4.7 there are at
> > least 7 totally different ways of rooting (for becoming SU is that,
> > exactly) a drupal site. Nearly all are related to gaining PHP rights,
> > then using that to change
>
> I'm confused - how can a PHP input filter cause a user to become root,
> when PHP execs itself in the user space of the Apache process?

Not Unix root,  but Drupal root.

<?php db_query("Update {users} set name='me', pass=md5('ownzed') where 
uid=1"); ?>

View that page.  Then log in as me/ownzed and you've just taken over UID 1.

(Above code may only work on MySQL, but I'm sure a postgres version is no more 
difficult.)

I think that's the kind of thing people are worried about, and now that I 
think about it so am I.  

I think the simplest solution is just to move the PHP filter to a contrib 
module.  Those that want it can drop it in and enable it, while those that 
don't need it don't have to worry about it.

-- 
Larry Garfield			AIM: LOLG42
larry at garfieldtech.com		ICQ: 6817012

"If nature has made any one thing less susceptible than all others of 
exclusive property, it is the action of the thinking power called an idea, 
which an individual may exclusively possess as long as he keeps it to 
himself; but the moment it is divulged, it forces itself into the possession 
of every one, and the receiver cannot dispossess himself of it."  -- Thomas 
Jefferson


More information about the development mailing list