Ready to get started?Download WordPress


Code Insert Manager (Q2W3 Inc Manager)
[resolved] Deadly SECURITY bug: wp-config exposed via php inse (6 posts)

  1. Eric Murphy
    Posted 1 year ago #

    Any admin in a WP multi site installation (even without superadmin privileges or without FTP access) can read/write wp-config.php.

    He just needs to add a new insert with the following code:

    $GetContent = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/wp-config.php');
    echo '<pre>'.htmlentities($GetContent).'</pre>';

    (Proof of concept)

    Please try to fix it.


  2. Max Bond
    Plugin Author

    Posted 1 year ago #

    I see only one way to really fix it: to forbid includes with php code execution for non superadmin users.
    What do you think?

  3. Eric Murphy
    Posted 1 year ago #

    It would be better if PHP could be turned on/off on a per-blog basis by the network admin.

  4. evdboogaard
    Posted 1 year ago #


  5. Eric Murphy
    Posted 1 year ago #

    OK, I have another solution for this security bug.

    Make another plugin, exactly like the current one, but without PHP functionality.

    That way I could install 2 plugins, one for regular network admins and one for network admins I trust.

  6. Max Bond
    Plugin Author

    Posted 1 year ago #

    Hello guys!
    Sorry for long delay!

    Finally I have made a secure version of Code Insert Manager.
    You can download it here: http://downloads.wordpress.org/plugin/q2w3-inc-manager.secure.zip

    Note. Archive structure is a little bit complex. You need upload to plugins dir only q2w3-inc-manager-sec folder!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic


No tags yet.