[wp-trac] [WordPress Trac] #52544: Removing database tables allows anyone to take over all website files
WordPress Trac
noreply at wordpress.org
Sun Mar 28 13:06:12 UTC 2021
#52544: Removing database tables allows anyone to take over all website files
-----------------------------+------------------------------
Reporter: winternetstudio | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.6.1
Severity: major | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by winternetstudio):
Replying to [comment:2 apmarshall]:
> 1. Someone accidentally deletes the database AND a hacker happens to be
opportunistically lurking and leaps in to install their own site on your
build.
> 2. A hacker has mySQL permissions to delete the database and uses this
as a way to take over your install.
> 3. A malicious insider uses this vector to flush the site and make their
own.
>
> In all three cases, the old site is effectively gone, right? Database
wiped, you/the hacker are starting from scratch.
That's correct - database is gone, but all files including potentially
sensitive ones are still there. And in case of an account with many sites
hacker would have access to it all. Even a rogue WordPress plugin I guess
could purposely delete all the tables in order to gain this kind of access
Replying to [comment:3 apmarshall]:
> Edit: or, rereading the original post, instead of deleting the database
itself, you need to essentially wipe it of all content/tables (either
accidentally or intentionally), thereby leaving the original credentials
still operational.
Correct - I'm not talking about deleting the database, only deleting the
tables. If database were deleted it would of course likely not be possible
for a hacker to recreate it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52544#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list