[wp-hackers] Security Vulnerability found - Forum Post

Scott Merrill skippy at skippy.net
Thu Apr 14 22:13:42 GMT 2005

Robert Deaton wrote:
> My point was a bit more security against the script kiddies and noobies, 
> if they were to get access to the file editor. We already know you can't 
> edit the wp-config file or anything, but you could still echo out the 
> constants anywhere. This would get rid of that risk. As far as people 
> just fopening it and parsing them out from there, not much we can do to 
> avoid that. I know it doesn't help security much, but it'd make things a 
> bit more difficult for script kiddies

It might, but it might also generate a false sense of security amongst 
our users.

The simple fact is that there is no sure-fire way to totally protect 
your wp-config.php data unless you personally review every line of code 
in every plugin you install.

We can't -- and arguably shouldn't try to -- protect against attacks 
from other locally installed PHP scripts.

Better, I think, to inform the users that wp-config.php contains the 
"keys to the kingdom", so to speak; and they should protect it 
appropriately: `chmod 650; chown user.www-data` for example.  Advise 
users to be aware of the fact that a malicious plugin could expose this 
data, even though filesystem security is set appropriately.

skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

More information about the wp-hackers mailing list