[wp-hackers] Page with only articles from category x.

Stephane Daury wordpress at tekartist.org
Thu Aug 30 03:21:19 GMT 2007


On Aug 29, 2007, at 23:12, Stephane Daury wrote:

>
> On Aug 29, 2007, at 13:19, Alex Polite wrote:
>
>>> While these aren't necessarily the best use of them, IMO, if you  
>>> want
>>> to make a single Page that does PHP code, this is the best way.
>>
>>> PHPExec and runPHP and such should be avoided unless absolutely
>>> necessary.
>>
>> For security reasons or?
>
> Allowing PHP code in a page or post content (or any user-modifiable  
> content) is begging for injection attacks, which is when someone  
> finds a way to execute code on your server from the comfort of  
> their web browser.
>
> http://en.wikipedia.org/wiki/Code_injection
>
> Never a good thing.
>
> Imagine if I could pass the following command to your server?
> <php echo file_get_contents('/etc/passwd').file_get_contents('/etc/ 
> shadow'); ?>
>
> Now I'd have access to your box withy the help of any widly  
> available quick password cracker.
> This is only compounded by the widespread use of non-SSL login by  
> WordPress users.

Though technically, all users are executing code when accessing  
WordPress.
I meant "when someone finds a way to execute **their own** code on  
your server".
:)

Stephane




More information about the wp-hackers mailing list