[wp-trac] [WordPress Trac] #52544: Removing database tables allows anyone to take over all website files
WordPress Trac
noreply at wordpress.org
Tue Feb 16 19:25:39 UTC 2021
#52544: Removing database tables allows anyone to take over all website files
-----------------------------+-----------------------------
Reporter: winternetstudio | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.6.1
Severity: major | Keywords:
Focuses: |
-----------------------------+-----------------------------
Posted first on HackerOne but was referred to here.
== Summary
If one by mistake removes the WordPress' database tables but files are
left intact, a hacker or anyone can "install" WordPress again and do
whatever he wants. It's a bad design choice that puts WordPress
installations at additional risk.
== Consequences
Hacker can install any plugin he wants, even a rogue one that he uploads
himself (we had that actually happen and our hosting provider's malware
detection triggered and suspended our entire Enterprise account with many
domains). Through that he can then ie. access any content files, any
potential other files outside the wordpress folder, the database
credentials in wp-config.php and thereby access the database itself and
any other databases/tables that the given mysql user has access to. In
case the hosting provider allows direct mysql access with those
credentials he can even do that without ever accessing WordPress. (I know
some of these would not occur if following very strict hosting
conventions, but our hosting provider (Simply.com who is the biggest in
Scandinavia) do not sandbox every domain - neither does most others that I
know of)
== Steps To Reproduce
1. I moved a WordPress installation (incl. database tables) somewhere else
but I didn't realize there was another WordPress installation using that
same database (with a different prefix for the tables of course). So that
left the database completely empty but all the files still intact.
2. When the hacker (or anyone!) now accesses the site that has no database
tables WordPress will offer do an install, of course using the db
credentials it already knows about. He creates admin account and
everything, and now totally owns the site.
== Recommendations
Once a WordPress installation has been completed another installation
process should never be allowed again using those same files. Either by
setting a flag somewhere, or better yet, by simply removing the
installation script (many packages do this).
Can't imagine any downsides in doing so. The scenario might not happen
very often but eventually it will (it did for us) so that risk might as
well be eliminated.
== Impact
Take over your entire site, access database and potentially other content
on the server.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52544>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list