[wp-hackers] Security Vulnerability found - Forum Post

Robert Deaton false.hopes at gmail.com
Thu Apr 14 22:32:55 GMT 2005


Unfortunately, I don't think that'd work at all really. In this case, mySQL 
isn't on a persistant connection, and even if it was, you would still have 
to have the user/pass to access the resource (iirc, don't hold me to this). 
At any rate, this would provide no benefit

@scott - I was speaking about in the case that this so called "exploit" 
works and someone gets admin or even upper level account stuff. At any rate, 
these little tweaks would probably not be worth it in the long run.

On 4/14/05, Amit Gupta <amit at igeek.info> wrote:
> 
>  ok, so that's not possible, I mean we can't unset a constant as Matt said 
> & he doesn't want to change now & break the wp-config files of users.
> so what we can do is:-
> 
> the `$wpdb` object is global, right? so it can be accessed without 
> redefining the connection again or including it in the script. so I'd say 
> that lets check on every page load whether `$wpdb` exists or not. If it 
> exists, then don't load the wp-config file(there's no need if I'm not 
> wrong). so that way the constants are inaccessible as they are not global(as 
> far as I know). we can't undo the constants but we can still restrict its 
> access by this, so they'll be loaded & accessible only once, next page load 
> & they are gone!!
> 
> how about it? Matt?
> 
> -----
> Amit Gupta
> 
> || Canned!! -- my Atropine <http://blog.igeek.info/> || iG:Syntax Hiliter 
> v2.01<http://blog.igeek.info/still-fresh/2004/11/22/igsyntax-hiliter-2-final/>||
> || iGEEK.INFO <http://www.igeek.info/> || Free Nokia Ringtones<http://www.igeek.info/ringtones.php>|| Online 
> Gaming @ Games Planet <http://www.igeek.info/games.php> || 
> 
> 
> 
> 
> ---------- Original Message from "Robert Deaton" <false.hopes at gmail.com> 
> ----------
> My point was a bit more security against the script kiddies and noobies, 
> if they were to get access
> to the file editor. We already know you can't edit the wp-config file or 
> anything, but you could still
> echo out the constants anywhere. This would get rid of that risk. As far 
> as people just fopening it
> and parsing them out from there, not much we can do to avoid that. I know 
> it doesn't help security
> much, but it'd make things a bit more difficult for script kiddies
> 
> -- 
> --Robert Deaton
> http://somethingunpredictable.com
> 
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> 
> 


-- 
--Robert Deaton
http://somethingunpredictable.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050414/c4385d9c/attachment.html


More information about the wp-hackers mailing list