**Spam** RE: [wp-hackers] Security Vulnerability found - Forum Post

Mihailo Stefanovic mikis at mikis.org
Thu Apr 14 23:07:06 GMT 2005


If you gain access to file editor, it takes only one '<? echo
file("wp-config.php") ?>' inserted into any template or plugin, and you can
see the db password, so IMHO (un)setting variables all the time is useless.


  _____  

From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Robert Deaton
Sent: Friday, April 15, 2005 12:03 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Security Vulnerability found - Forum Post


My point was a bit more security against the script kiddies and noobies, if
they were to get access to the file editor. We already know you can't edit
the wp-config file or anything, but you could still echo out the constants
anywhere. This would get rid of that risk. As far as people just fopening it
and parsing them out from there, not much we can do to avoid that. I know it
doesn't help security much, but it'd make things a bit more difficult for
script kiddies



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050414/efad113c/attachment.html


More information about the wp-hackers mailing list