[wp-hackers] InstantUpgrade now with FTP support -- testers needed

Alex Günsche ag.ml2007 at zirona.com
Wed May 30 22:24:10 GMT 2007


On Wed, 2007-05-30 at 17:05 -0500, Stephen Rider wrote:
> The first thing that strikes me on the setup screen....  Is it just  
> me or is my FTP password going to be stored in plaintext in the  
> database?  This seems like a security vulnerability to me.

This is indeed a thing worth being discussed.

In my opinion, it is not an (additional) security risk, because usually,
FTP passwords are transmitted in plaintext anyway from your PC to your
server. And in this case, the password is only transmitted from your
(HTTP) server to your (FTP) server, so it doesn't even go across the
internet. The storage of the password is in the WP database, and
usually, nobody but the admin will be able to read the options from
there.

But if somebody can convince me that I'm wrong and/or has an idea how to
make it better, I'll be happy to consider it.

Best regards,
Alex


-- 
Alex Günsche, Zirona OpenSource-Consulting
http://www.zirona.com/ | Hilfe für das HQ AC: http://www.prohq.de
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc



More information about the wp-hackers mailing list