WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Database info stored as PHP constant, potential security risk (7 posts)

  1. kjmeath
    Member
    Posted 3 years ago #

    Any admin user could var_dump them in a theme template file...isnt this be a potential security?

    It makes sense that the initial admin user account that setup the WP install can have access to these constants, being that they entered this information into the installer...but any other admin user account (that is not uid #1) doesn't need really need access to these.

  2. elfin
    Moderator
    Posted 3 years ago #

    If you are worried about admins then they shouldn't be admins. They could do a lot more damage than just doing a var_dump.

  3. kjmeath
    Member
    Posted 3 years ago #

    I understand that, but this is beyond the realm of the wp installation. This is giving people access to the database information, when there in no need for them to be able to access it.

  4. elfin
    Moderator
    Posted 3 years ago #

    well deny them access from editing any file via WordPress, either with a role permission plugin, or by simply changing the chmod on those files.

  5. kjmeath
    Member
    Posted 3 years ago #

    already doing that in functions.php

    add_action('admin_head', 'removeThemeEditor');
    function removeThemeEditor() {
        global $submenu;
        if( $submenu['themes.php'] )
        foreach($submenu['themes.php'] as $id => $editorPage ){
            if($editorPage[2] == 'theme-editor.php') unset($submenu['themes.php'][$id]);
        }
    }

    I hope WP decides to fix this in the future

  6. elfin
    Moderator
    Posted 3 years ago #

    If you feel it to be a security issue then email security@wordpress.org

  7. kjmeath
    Member
    Posted 3 years ago #

    Will do, cheers!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags