[wp-trac] [WordPress Trac] #20195: Plugins uninstall.php

WordPress Trac wp-trac at lists.automattic.com
Tue May 1 01:09:32 UTC 2012


#20195: Plugins uninstall.php
--------------------------+------------------------------
 Reporter:  wpsmith       |       Owner:
     Type:  enhancement   |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Plugins       |     Version:
 Severity:  major         |  Resolution:
 Keywords:  dev-feedback  |
--------------------------+------------------------------

Comment (by nacin):

 Replying to [comment:13 lightningspirit]:
 > Indeed, there is no way to secure once one have access to the
 environment. Perhaps we could do a "security by obscurity" to wp-load.php,
 giving user the option to move wp-load.php one level above, as we
 currently allow for wp-config.php.

 Not really, because they could always include wp-blog-header, or index, or
 other files. Remote "inclusion" of files is not a vulnerability. I don't
 think allow_url_include does what you think it does.

 Moving wp-config.php up one level is not there for security. It is to use
 WordPress in its own folder, as an SVN external, with wp-config.php
 sitting beside it.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20195#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list