WordPress.org

Ready to get started?Download WordPress

Forums

Possible security flaw in Installation (5 posts)

  1. russiankettlebellsguide
    Member
    Posted 5 years ago #

    Hi,

    When I install WordPress (2.6.2), at the end of the installation it shows me the database password, not the administrators password. It sends the correct administrators password in the 'New WordPress Blog' e-mail, so it is generating and sending the AGP password correctly, however showing the database password on the installation screen is a serious security flaw.

    Any ideas on what might be causing this?

    Thanks in advance,

    Ian

  2. thisisedie
    Member
    Posted 5 years ago #

    That's weird. I've never had it show me the database password at any point during the installation.

  3. Samuel B
    moderator
    Posted 5 years ago #

    Never heard of such.

  4. russiankettlebellsguide
    Member
    Posted 5 years ago #

    OK, I went through the code, and in install.php, line 82, it calls (PHP)extract on the array returned by the wp_install function in upgrade.php (line 51).

    Here is the relevant code
    >> returning the array
    return array('url' => $guessurl, 'user_id' => $user_id, 'password' => $random_password);

    >> calling extract
    extract($result, EXTR_SKIP);

    Note that extract is called with EXTR_SKIP which means that if the variable $password already exists, it

      won't

    be overwritten by extract.

    I suspect what is happening is that $password is being set to the database password by some earlier process in the installation, and when $random_password is returned by wp_install, extract is not overwriting $password with the new value.

    I am going to test this theory and post back here.

    BTW, can someone tell me how I can log into Trac? It's probably a better place for this kind of discussion.

  5. russiankettlebellsguide
    Member
    Posted 5 years ago #

    My apologies: I found a hack in the code (not WP code) that set the value of $password before installation.

    Still, it would be good to know how to log into Trac.

    Sorry for wasting your time.

    Ian

Topic Closed

This topic has been closed to new replies.

About this Topic