[wp-hackers] Security Vulnerability found - Forum Post
Kimmo Suominen
kim at tac.nyc.ny.us
Thu Apr 14 06:13:12 GMT 2005
On Thu, Apr 14, 2005 at 12:27:12AM -0400, Owen Winkler wrote:
> Nonetheless, the enclosed patch prevents any user from reading or
> writing a file that contains the DB_PASSWORD constant, including the
> wp-admin/templates.php file. With this not only can't you read files
> that contain your WordPress database password via the web interface, you
> can't alter existing files to output the password. Of course, this will
> prevent you from editing wp-config.php, setup-config.php,
> wp-config-sample.php, and wp-db.php, but if you have cause to mess with
> those files in the first place, you probably know how to use FTP or SSH
> which would probably be better suited.
Since one could still save a file (e.g. a plugin or theme component)
that outputs the contents of wp-config.php on a web page, is checking
for DB_PASSWORD really that useful?
Regards,
+ Kim
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
More information about the wp-hackers
mailing list