I am running drupal 6.17 with many modules. I was wondering if any one has ever seen a case of a user just (apparently) being auto escalated to admin (userid = 1) privileges. I was testing with several users and on one (called billie123), I noticed billie123 was able to edit views. I then did some poking around and concurrently loaded userid = 1 in a different browser to see if billie123 had just randomly been assigned a role of userid =1. billie123 was not assigned anything other than the "authenticated user". I was, in fact, able to edit the post billie123 tried to, Billie123 was also able to edit views and see anything userid=1 is able to see.

I have been trying to reproduce this all day and have not been able to. I was just testing with users and stumbled across this. My means for testing was clicking on certain posts that were in certain portions of the taxonomy tree. I wanted to verify they could only edit the appropriate posts (Using Taxonomy Access Control). I obtained the results I was expecting. Then I noticed that views could be edited and so could any post. No user except my account and userid = 1 can edit views.

Any thoughts, concerns, ideas, etc?

Comments

nevets’s picture

By different browser do you mean like Firefox and Chrome or different windows?

lilott8’s picture

I was in different browsers completely. userid = 1 in FF and test user in Ie/chrome.

lilott8’s picture

Is there any other information anyone needs to help troubleshoot this/escalate this to a potential security problem?