[wp-hackers] Security Vulnerability found - Forum Post

Owen Winkler ringmaster at midnightcircus.com
Thu Apr 14 04:27:12 GMT 2005


Graeme Lennon wrote:

>I think people are getting defensive and dismissing this out of hand.
>It's not critical, but neither is it nothing at all.
>
>If I get access to the file editor, I get to execute completely
>arbitrary PHP code on your server. Which means I can easily compromise
>the Apache user on your server, which may mean all sorts of unpleasant
>things.
>  
>
You can only get access to the file editor as an authorized user.  It 
seems to me that a couple of conditions would need to preexist on the 
server for the javascript insertion to even pose a threat; conditions 
that don't preexist in a default WordPress install.  It seems very 
unlikely that the javascript trick alone could post any threat but an 
annoyance from users that a diligent site owner should not have 
authorized in the first place.

Nonetheless, the enclosed patch prevents any user from reading or 
writing a file that contains the DB_PASSWORD constant, including the 
wp-admin/templates.php file.  With this not only can't you read files 
that contain your WordPress database password via the web interface, you 
can't alter existing files to output the password.  Of course, this will 
prevent you from editing wp-config.php, setup-config.php, 
wp-config-sample.php, and wp-db.php, but if you have cause to mess with 
those files in the first place, you probably know how to use FTP or SSH 
which would probably be better suited.

Owen

-------------- next part --------------
Index: templates.php
===================================================================
--- templates.php	(revision 2534)
+++ templates.php	(working copy)
@@ -41,6 +41,8 @@
 	}
 
 	$newcontent = stripslashes($_POST['newcontent']);
+	if ( strstr( $newcontent, 'DB_PASSWORD' ) )
+		die( __('<p>You cannot save a file containing the DB_PASSWORD constant via the web interface. Sorry!</p>') );
 	if (is_writeable($real_file)) {
 		$f = fopen($real_file, 'w+');
 		fwrite($f, $newcontent);
@@ -63,17 +65,19 @@
 	if ( strstr( $file, 'wp-config.php' ) )
 		die( __('<p>The config file cannot be edited or viewed through the web interface. Sorry!</p>') );
 
-	update_recently_edited($file);
-
 	if (!is_file($real_file))
 		$error = 1;
 	
 	if (!$error) {
 		$f = fopen($real_file, 'r');
 		$content = fread($f, filesize($real_file));
+		if ( strstr( $content, 'DB_PASSWORD' ) )
+			die( __('<p>The specified file cannot be edited or viewed through the web interface. Sorry!</p>') );
 		$content = htmlspecialchars($content);
 	}
 
+	update_recently_edited($file);
+
 	?>
 <?php if (isset($_GET['a'])) : ?>
  <div class="updated"><p><?php _e('File edited successfully.') ?></p></div>


More information about the wp-hackers mailing list