[development] Remove PHP filter by default

Darrel O'Pry dopry at thing.net
Tue Jan 31 21:20:02 UTC 2006


got a formula for that... Thats a hot one.

On Mon, 2006-01-30 at 02:18 +0200, Adrian Rossouw wrote:
> On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
> >
> > <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> > uid=1"); ?>
> 
> It's not just that site either.
> 
> A php page can open up all the settings.php files in sites/* and  
> change the passwords
> for ANY of your sites.
> 
> So a single person on large multisite install could compromise ALL  
> the sites.
> 
> FYI: i set db credentials in the virtual host entry using setenv, so  
> that it is only defined
> for that session.
> 
> --
> Adrian Rossouw
> Drupal developer and Bryght Guy
> http://drupal.org | http://bryght.com
> 
> 
> 



More information about the development mailing list