@streetmedic:
I don’t think this is relavent to the problem in hand here. WordPress doesn’t work but using the arguments in the url to include files these are passed into the sql querey to find things for example posts with index.php?p=1234 looking for post id 1234.
westi
westi – it very much is. WP as it is doesn’t do that but there are ways listed out there that allow people “to include their [html] pages, as seen in many tutorials all over the web (like for example at EnglishSun.org).”
Again, out of the box, WP doesn’t have this ability, but there are plugins, hacks, and code snippets out there that do allow for that. It was one of the primary ways of doing “pages” back in 1.2, and some people have carried it over to 1.5. This is the primary reason I never did it on my site. How ever there are ways to implement this safely, and lock it down so that outside files cannot be included.
I think it’s very much relevant to the issue. If some one had this hack installed, and it was discovered, I could use it to run a PHP file that adds a user for me into the database. I could then login to the admin, and start creating havoc with the system.
Tg
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Streetmedic, the exploit you are referring to was corrected back in WP v1.2.2.
Do you have phpmyadmin installed? If you do, and someone guesses what directory you installed phpmyadmin to, they can get into your database, which could give someone full control of your WordPress.
Alternatively, if your password was easily guessable they might have gotten in that way.
Alternatively, check that you’re the only user on the server who has access to that database.
Thread Starter
Sparky
(@sparky)
streetmedic, i don’t use that coding.
JonathanDrain, i do not believe i have that installed. i’ll go check, but i doubt i have it. i dont think my password was that easy to guess, and i dont know how anyone could have gotten it.
i’m going to upgrade to 1.5 right now.
what does this mean: (i’m backup up my site from cpanel)
Backup Destination:
Remote Server (FTP/SCP only):
Remote User (FTP/SCP only):
Remote Password (FTP/SCP only):
Port (FTP/SCP only)
Remote Dir (FTP/SCP only)
I presume the backup destination is the directory/folder where you want to back up the database to, while those other options are if you want to back it up to a different server via FTP.
Thread Starter
Sparky
(@sparky)
ook. i’ll try that out. i just upgraded one of my 2 wp’s to 1.5, i have to fix the theme and upgrade th other too.
Thread Starter
Sparky
(@sparky)
“Do you have phpmyadmin installed? If you do, and someone guesses what directory you installed phpmyadmin to, they can get into your database, which could give someone full control of your WordPress.”
I just realized… I DO have it installed. And I didn’t know about it. 🙁 Now what? I’ve done all I can to protect my stuff, but I jus trealized I have it installed, and it came with my hosting… I didn’t install it myself.
