[Plugin: Code Insert Manager (Q2W3 Inc Manager)] Deadly SECURITY bug: wp-config exposed via php inse | WordPress.org

Resolved Eric Murphy
(@knn)

11 years, 7 months ago
Any admin in a WP multi site installation (even without superadmin privileges or without FTP access) can read/write wp-config.php.

He just needs to add a new insert with the following code:
```
<?php
$GetContent = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/wp-config.php');
echo '<pre>'.htmlentities($GetContent).'</pre>';
?>
```
(Proof of concept)

Please try to fix it.

http://wordpress.org/extend/plugins/q2w3-inc-manager/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author Max Bond
(@max-bond)

11 years, 7 months ago

I see only one way to really fix it: to forbid includes with php code execution for non superadmin users.
What do you think?

Thread Starter Eric Murphy
(@knn)

11 years, 7 months ago

It would be better if PHP could be turned on/off on a per-blog basis by the network admin.

evdboogaard
(@evdboogaard)

11 years, 4 months ago

+1

Thread Starter Eric Murphy
(@knn)

11 years, 2 months ago

OK, I have another solution for this security bug.

Make another plugin, exactly like the current one, but without PHP functionality.

That way I could install 2 plugins, one for regular network admins and one for network admins I trust.

Plugin Author Max Bond
(@max-bond)

11 years, 2 months ago

Hello guys!
Sorry for long delay!

Finally I have made a secure version of Code Insert Manager.
You can download it here: http://downloads.wordpress.org/plugin/q2w3-inc-manager.secure.zip

Note. Archive structure is a little bit complex. You need upload to plugins dir only q2w3-inc-manager-sec folder!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘[Plugin: Code Insert Manager (Q2W3 Inc Manager)] Deadly SECURITY bug: wp-config exposed via php inse’ is closed to new replies.

In: Plugins
5 replies
3 participants
Last reply from: Max Bond
Last activity: 11 years, 2 months ago
Status: resolved