Posted 4 years ago #
Hi,
When I install WordPress (2.6.2), at the end of the installation it shows me the database password, not the administrators password. It sends the correct administrators password in the 'New WordPress Blog' e-mail, so it is generating and sending the AGP password correctly, however showing the database password on the installation screen is a serious security flaw.
Any ideas on what might be causing this?
Thanks in advance,
Ian
Posted 4 years ago #
That's weird. I've never had it show me the database password at any point during the installation.
Never heard of such.
Posted 4 years ago #
OK, I went through the code, and in install.php, line 82, it calls (PHP)extract on the array returned by the wp_install function in upgrade.php (line 51).
Here is the relevant code
>> returning the array
return array('url' => $guessurl, 'user_id' => $user_id, 'password' => $random_password);
>> calling extract
extract($result, EXTR_SKIP);
Note that extract is called with EXTR_SKIP which means that if the variable $password already exists, it
be overwritten by extract.
I suspect what is happening is that $password is being set to the database password by some earlier process in the installation, and when $random_password is returned by wp_install, extract is not overwriting $password with the new value.
I am going to test this theory and post back here.
BTW, can someone tell me how I can log into Trac? It's probably a better place for this kind of discussion.
Posted 4 years ago #
My apologies: I found a hack in the code (not WP code) that set the value of $password before installation.
Still, it would be good to know how to log into Trac.
Sorry for wasting your time.
Ian
This topic has been closed to new replies.
