[wp-hackers] Security Vulnerability found - Forum Post

Amit Gupta amit at igeek.info
Thu Apr 14 22:18:33 GMT 2005


ok, so that's not possible, I mean we can't unset a constant as Matt said & he doesn't want to change now & break the wp-config files of users.
so what we can do is:-

the `$wpdb` object is global, right? so it can be accessed without redefining the connection again or including it in the script. so I'd say that lets check on every page load whether `$wpdb` exists or not. If it exists, then don't load the wp-config file(there's no need if I'm not wrong). so that way the constants are inaccessible as they are not global(as far as I know). we can't undo the constants but we can still restrict its access by this, so they'll be loaded & accessible only once, next page load & they are gone!!

how about it? Matt?

-----
Amit Gupta

|| Canned!! -- my Atropine || iG:Syntax Hiliter v2.01 ||
|| iGEEK.INFO || Free Nokia Ringtones || Online Gaming @ Games Planet || 




---------- Original Message from "Robert Deaton" <false.hopes at gmail.com> ----------
My point was a bit more security against the script kiddies and noobies, if they were to get access
to the file editor. We already know you can't edit the wp-config file or anything, but you could still
echo out the constants anywhere. This would get rid of that risk. As far as people just fopening it
and parsing them out from there, not much we can do to avoid that. I know it doesn't help security
much, but it'd make things a bit more difficult for script kiddies

-- 
--Robert Deaton
http://somethingunpredictable.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050414/44552458/attachment.html


More information about the wp-hackers mailing list