WordPress.org

Forums

Secunia reports bug... (5 posts)

  1. OperaManiac
    Member
    Posted 9 years ago #

    http://secunia.com/advisories/20928/

    i found some of my blogs show the blog's database name along with the prefix through the code mentioned here.

    i am not sure how insecure it makes my blog... but what does the developers think?

  2. whooami
    Member
    Posted 9 years ago #

    inside /includes/wp-db.php there is a variable for supressing mysql error messages:

    class wpdb {

    var $show_errors = true;

    I learned a while ago that setting that to false doesnt change anything.

    However, further down from there, you have:

    // ============
    // Print SQL/DB error.

    Immediately beneath that is where error handling and display is taken care of.
    ----------
    Changing the following will supress MySQL errors...and a note of caution, this is for informational purposes only and could backfire if a plugin has an issue and youre trying to debug it. There also might be an easier way, I just know that this works.

    ===

    find this line in wp-db.php:

    var $show_errors = true;
    change to:
    var $show_errors = false;

    further down in wp-db.php find this line:
    if ( $this->show_errors ) {
    change it to:
    if ( $this->hide_errors =="true" ) {

    and you will have supressed all Mysql error messages.

    Again, purely for informational purposes.
    And btw, that code seems horribly assbackwards to me also, but it does work.

    On a site where youre fairly confident you wont hose anything up that you might need to debug it could be useful to employ this. I do, but then knowing what Ive changed, I know what to do to get back the messages in the event I need them. I also am not trying out new plugins every day, changing this, changing that, my site's pretty stable.

    result :

    http://www.village-idiot.org/index.php?paged=-1

  3. whooami
    Member
    Posted 9 years ago #

    As for how insecure it makes your blog, and mind you this is my opin. and I am not a developer:

    I follow the credo that the more information someone that might be out to do harm has, the better it is for them. The less they have, the better it is for me. Even if the info might seem useless by itself, it is one more piece to the puzzle.

    Being able to see mysql error messages allows one thing thats always troubled me -- if "they" happen to screw up during some sort of mysql injection attempt, they get the benefit of seeing where they went wrong. This way, atleast, they do not.

    lastly, its not a bug. Its the standard way things are done, displaying error messages, that is. There are probably countless other things that will result in similar messages.

  4. OperaManiac
    Member
    Posted 9 years ago #

    maybe the developers make sure that the sql bugs are only displayed to the logged in administrators of the blog! that would solve the issue with debugging. :)

  5. whooami
    Member
    Posted 9 years ago #

    thats an idea.. :)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.