Support » Installing WordPress » Possible security flaw in Installation

  • russiankettlebellsguide



    When I install WordPress (2.6.2), at the end of the installation it shows me the database password, not the administrators password. It sends the correct administrators password in the ‘New WordPress Blog’ e-mail, so it is generating and sending the AGP password correctly, however showing the database password on the installation screen is a serious security flaw.

    Any ideas on what might be causing this?

    Thanks in advance,


Viewing 4 replies - 1 through 4 (of 4 total)
  • That’s weird. I’ve never had it show me the database password at any point during the installation.

    Never heard of such.



    OK, I went through the code, and in install.php, line 82, it calls (PHP)extract on the array returned by the wp_install function in upgrade.php (line 51).

    Here is the relevant code
    >> returning the array
    return array(‘url’ => $guessurl, ‘user_id’ => $user_id, ‘password’ => $random_password);

    >> calling extract
    extract($result, EXTR_SKIP);

    Note that extract is called with EXTR_SKIP which means that if the variable $password already exists, it


    be overwritten by extract.

    I suspect what is happening is that $password is being set to the database password by some earlier process in the installation, and when $random_password is returned by wp_install, extract is not overwriting $password with the new value.

    I am going to test this theory and post back here.

    BTW, can someone tell me how I can log into Trac? It’s probably a better place for this kind of discussion.



    My apologies: I found a hack in the code (not WP code) that set the value of $password before installation.

    Still, it would be good to know how to log into Trac.

    Sorry for wasting your time.


Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Possible security flaw in Installation’ is closed to new replies.