WordPress.org

Ready to get started?Download WordPress

Forums

security problem (2 posts)

  1. kae
    Member
    Posted 9 years ago #

    I installed a nightly build this morning, and just got around to messing with it.
    One thing I've always had trouble with was how the wordpress templating system allows code access to the blogger.
    For instance, on a multi-user site, where the user may be relatively anonymous, it's not advisable to allow the user to put, say
    <?php include('/etc/passwd');include('/etc/shadow'); ?>
    into their template.
    While most systems do run Apache under a httpd user, there may be some people out there running it under root, allowing this to be exploited.
    Besides, this may be used to do other stuff - such as maybe:
    <?=htmlspecialchars(join('',file('wp-config.php')));?>
    That, on my own system, outputs the database username and password to the screen...
    Don't know if that's even something to worry about, but definitely something to think about.
    Kae

  2. NuclearMoose
    Member
    Posted 9 years ago #

    Here is a listing of many discussions about security. Security is a concern for everyone, and the developers are totally aware of this. Others have raised the very issue that you just did. Check out the threads in the above list to see the various responses to security questions.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.