Can this be done??
if so wouldnt it be necessary to remove install.php after wp instal?
would it affect updates?
Step 1. Excessively access /wp-admin/install.php to get mysql server temperorily down because of too many parallel connections.
Step 2. Because mysql sever is down, the install.php will no longer show “You appear to have already installed WordPress. To reinstall please clear your old database tables first”, but will respond like a new installation with a form to fill in domain and email, because the function is_blog_installed() in the source codes of install.php will return “FALSE” for its failure in accessing the database.
Step 3. Fill the form with new domain and new email and try to update the database when mysql server has just recovered to work. If successful, they will get a new admin account sent to their email, all the internal links of my blog will become external links and they will steal lots of traffic and hardlinks. If not successful, my site will be still down.
So, I should say I’m lucky that servage has a limitation in hits and my account won’t recover until tomorrow. This is a very dangerous security hack.
- The topic ‘Security Issue?’ is closed to new replies.