[wp-trac] Re: [WordPress Trac] #5564: Non Plugin Files Cab Be
Easily Included In Current Plugins using database Manipulation
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 2 05:34:08 GMT 2008
#5564: Non Plugin Files Cab Be Easily Included In Current Plugins using database
Manipulation
-------------------------------+--------------------------------------------
Reporter: keithdsouza | Owner: anonymous
Type: defect | Status: new
Priority: highest omg bbq | Milestone: 2.5
Component: Security | Version:
Severity: critical | Resolution:
Keywords: reporter-feedback |
-------------------------------+--------------------------------------------
Comment (by DD32):
If you have access to the database via any means, You can create an admin
account and modify the active plugins via the UI.
If you have local access to the server, you can add files that can
automatically be included by WP.
WordPress has to assume the data given to it is sane and expected, When
entering data into the database/files WP can check that its authorized
change, but if its coming from the filesystem or database, its impossible
for WP to know if its supposed to be like that.
I'm going to suggest setting to invalid, pending 2nd oppinion.
--
Ticket URL: <http://trac.wordpress.org/ticket/5564#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list