[development] Remove PHP filter by default
Darrel O'Pry
dopry at thing.net
Tue Jan 31 21:20:02 UTC 2006
got a formula for that... Thats a hot one.
On Mon, 2006-01-30 at 02:18 +0200, Adrian Rossouw wrote:
> On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
> >
> > <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> > uid=1"); ?>
>
> It's not just that site either.
>
> A php page can open up all the settings.php files in sites/* and
> change the passwords
> for ANY of your sites.
>
> So a single person on large multisite install could compromise ALL
> the sites.
>
> FYI: i set db credentials in the virtual host entry using setenv, so
> that it is only defined
> for that session.
>
> --
> Adrian Rossouw
> Drupal developer and Bryght Guy
> http://drupal.org | http://bryght.com
>
>
>
More information about the development
mailing list