Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By mlncn on
This falls under the heading of doing something so stupid you just have to tell people...
To create a security risk on your Drupal site that's so large, and made so easily, it will boggle your mind...
- Create a block or page and use the PHP input filter (yes, this is extra-caution area by definition)
- Try to create an
if ($user->uid == 1)statement to check for the most privileged user... - Mess up and type
if ($user->uid = 1)instead, anywhere on the page
Anyone who goes to that page will get logged on as user number one (whether they want to be or not), and will roam around your site with absolute power!
This is a mistake with such big consequences, and so easy to make (a classic PHP typo), that I wonder if there are reasonable ways to prevent it.
Also, looking for a place to post, I wonder why there isn't a Drupal security forum or a security group on groups.drupal.org (there is of course a security team and an e-mail list).
As to not accidentally giving passerby superuser (or any user) powers on your site, the first might be to immediately make a nonreference copy of global user if you will be testing, not changing, values in it.
There also isn't really much reason to test by user. I wanted to test by role in this case anyway, but I was tired and it was easier to quickly test by superuser to see if it would work, instead of using something like this code to test for a users roles.
So that would be the main lesson... don't code when tired!
~ ben, Agaric Design Collective
Comments
Sadly I am very prone to the
Sadly I am very prone to the =,== typo, so thanks for the heads up Ben.
whoa!! 0_O
thanks! that was so cool! lol. not on its serious aspects though :P