Using a tool such as w.bloggar, create a new posting.
Using a tool such as MySQL Query browser, inspect the node_revisions table. The 'format' field for the new entry is set to 0.
A format of 0 means "use the default input format". "Input format" is a misnomer since the format filters are applied only to the viewed text, not to the "input".
A post can be made by someone without permission to use the PHP code format. The post can include PHP code. If the default format is ever changed to 'PHP code', the PHP code will be executed. This is a minor security problem since it is unlikely that anyone would set the PHP code format as the default, but an administrator might think it safe to do so if the site is closed to the public.
More interesting is that case of a module such as "default_filter", which sets filter types by role and node type. A format of 0 could cause a lot of havoc. I'll file a separate bug report for that module, but it sure seems that the format field should never be 0. Since xmlrpc calls require a username and password, I would think it could select the proper default format for the post.
Comments
Comment #1
brianV CreditAttribution: brianV commentedBumping to 6.x-dev. This is definitely still possible in the current 6.x.
On the other hand, it isn't really different from somebody being able to write nodes (forum posts, anything) on the site, and entering PHP code.
A minor issue at best.