Support » Requests and Feedback » Database info stored as PHP constant, potential security risk

  • Resolved User Removed

    (@kjmeath)


    Any admin user could var_dump them in a theme template file…isnt this be a potential security?

    It makes sense that the initial admin user account that setup the WP install can have access to these constants, being that they entered this information into the installer…but any other admin user account (that is not uid #1) doesn’t need really need access to these.

Viewing 6 replies - 1 through 6 (of 6 total)
  • elfin

    (@elfin)

    If you are worried about admins then they shouldn’t be admins. They could do a lot more damage than just doing a var_dump.

    I understand that, but this is beyond the realm of the wp installation. This is giving people access to the database information, when there in no need for them to be able to access it.

    elfin

    (@elfin)

    well deny them access from editing any file via WordPress, either with a role permission plugin, or by simply changing the chmod on those files.

    already doing that in functions.php

    add_action('admin_head', 'removeThemeEditor');
    function removeThemeEditor() {
        global $submenu;
        if( $submenu['themes.php'] )
        foreach($submenu['themes.php'] as $id => $editorPage ){
            if($editorPage[2] == 'theme-editor.php') unset($submenu['themes.php'][$id]);
        }
    }

    I hope WP decides to fix this in the future

    elfin

    (@elfin)

    If you feel it to be a security issue then email security@wordpress.org

    Will do, cheers!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Database info stored as PHP constant, potential security risk’ is closed to new replies.