[wp-hackers] Security Vulnerability found - Forum Post
Scott Merrill
skippy at skippy.net
Thu Apr 14 22:13:42 GMT 2005
Robert Deaton wrote:
> My point was a bit more security against the script kiddies and noobies,
> if they were to get access to the file editor. We already know you can't
> edit the wp-config file or anything, but you could still echo out the
> constants anywhere. This would get rid of that risk. As far as people
> just fopening it and parsing them out from there, not much we can do to
> avoid that. I know it doesn't help security much, but it'd make things a
> bit more difficult for script kiddies
It might, but it might also generate a false sense of security amongst
our users.
The simple fact is that there is no sure-fire way to totally protect
your wp-config.php data unless you personally review every line of code
in every plugin you install.
We can't -- and arguably shouldn't try to -- protect against attacks
from other locally installed PHP scripts.
Better, I think, to inform the users that wp-config.php contains the
"keys to the kingdom", so to speak; and they should protect it
appropriately: `chmod 650; chown user.www-data` for example. Advise
users to be aware of the fact that a malicious plugin could expose this
data, even though filesystem security is set appropriately.
--
skippy at skippy.net | http://skippy.net/
gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49 3544 476A 7DEC 9CFA 4B35
More information about the wp-hackers
mailing list