WordPress.org

Ready to get started?Download WordPress

Forums

Security Issue? (6 posts)

  1. loller6661
    Member
    Posted 5 years ago #

    Can this be done??

    if so wouldnt it be necessary to remove install.php after wp instal?
    would it affect updates?

    Step 1. Excessively access /wp-admin/install.php to get mysql server temperorily down because of too many parallel connections.

    Step 2. Because mysql sever is down, the install.php will no longer show "You appear to have already installed WordPress. To reinstall please clear your old database tables first", but will respond like a new installation with a form to fill in domain and email, because the function is_blog_installed() in the source codes of install.php will return "FALSE" for its failure in accessing the database.

    Step 3. Fill the form with new domain and new email and try to update the database when mysql server has just recovered to work. If successful, they will get a new admin account sent to their email, all the internal links of my blog will become external links and they will steal lots of traffic and hardlinks. If not successful, my site will be still down.

    So, I should say I'm lucky that servage has a limitation in hits and my account won't recover until tomorrow. This is a very dangerous security hack.

  2. tomontoast
    Member
    Posted 5 years ago #

    Simple answer NO.

    When the wpdb is loaded it checks that it can make a connection with the database. If this fails it calls the function wp_die() which will halt the script. The only way for you to carry out this hack would be either to modify the data travelling from the MySQL database or to in some way cause the database to shut down between the connection being made and wordpress requesting is_blog_installed().

    Having said that removing install.php after you have installed your blog might be a good idea and would improve the security of your blog.

  3. loller6661
    Member
    Posted 5 years ago #

    ok thx for the feedback.

    Will it give issues when I upgrade the blog when having install.php removed?

  4. whooami
    Member
    Posted 5 years ago #

    who cares, remove it. I remove it. always.

    even better for you maybe, just rename it.

  5. tomontoast
    Member
    Posted 5 years ago #

    No it won't affect upgrading your blog. install.php is only for creating a completely new copy of wordpress.

  6. loller6661
    Member
    Posted 5 years ago #

    ok thanks guys

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.