[wp-hackers] Security Vulnerability found - Forum Post

Robert Deaton false.hopes at gmail.com
Thu Apr 14 22:02:35 GMT 2005


My point was a bit more security against the script kiddies and noobies, if 
they were to get access to the file editor. We already know you can't edit 
the wp-config file or anything, but you could still echo out the constants 
anywhere. This would get rid of that risk. As far as people just fopening it 
and parsing them out from there, not much we can do to avoid that. I know it 
doesn't help security much, but it'd make things a bit more difficult for 
script kiddies

On 4/14/05, Amit Gupta <amit at igeek.info> wrote:
> 
>  I know what you are trying to say & I know that once a variable is unset, 
> it can't be accessed in the script anymore. But you didn't understand what I 
> meant. What I was saying is that:-
> 
> 1) what good it would do to unset the db vars? added security? no-one able 
> to access db user/password?
> 
> 2) the wp-config file is loaded on every page load in WordPress, right? so 
> the variables are created everytime wp-config is loaded. you can ofcourse 
> unset them as soon as they are loaded
> 
> 3) the db user/password are still hardcoded in the wp-config file, so 
> anyone having access to it can have them.
> 
> 4) if wp-config is loaded everytime on a page load, then wouldn't it be 
> better to check if a db connection exists or not? if the connection exists, 
> then there's no need to load wp-config. however, if db connection doesn't 
> exist, then it can be loaded. no?
> 
> hope I make myself clearer this time. :)
> 
> -----
> Amit Gupta
> 
> || Canned!! -- my Atropine <http://blog.igeek.info/> || iG:Syntax Hiliter 
> v2.01<http://blog.igeek.info/still-fresh/2004/11/22/igsyntax-hiliter-2-final/>||
> || iGEEK.INFO <http://www.igeek.info/> || Free Nokia Ringtones<http://www.igeek.info/ringtones.php>|| Online 
> Gaming @ Games Planet <http://www.igeek.info/games.php> || 
> 
> 
> 
> 
> ---------- Original Message from "Robert Deaton" <false.hopes at gmail.com> 
> ----------
> PHP has this nice feature for variables called unset. unset('varname') and 
> you don't have to worry
> about the rest of the script being able to access it. Call unset on the 
> variables right after the
> database connection is established and then it guarantees that you can't 
> access them elsewhere
> (minus inside the wpdb class if they're stored there, and if so, it could 
> be made not to store them
> there and not lose any functionality).
> 
> -- 
> --Robert Deaton
> http://somethingunpredictable.com
> 
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> 
> 


-- 
--Robert Deaton
http://somethingunpredictable.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050414/707718aa/attachment.html


More information about the wp-hackers mailing list