Security issue
-
The way WPMU is set up, all of the wordpress sites are in the same database but with different tables.
If a user is admin of his site but not super admin, he can still execute code on his site like
<?php echo "pass: ".DB_PASSWORD."<br />"; echo "name: ".DB_NAME."<br />"; echo "user: ".DB_USER."<br />"; echo "host: ".DB_HOST."<br />"; ?>
and get the database password and have access to modify sites other than his own. It’s locked down so users can’t add their own themes or plugins, so that takes care of adding PHP cose that way. But some themes like Atahualpa allow you add your own html, javascript, php to the page, thus once again allowing users to execute malicious code.
I want to run a WMPU site and give my users the ability to customize their themes, but there doesn’t seem to be a way to allow customization on the html level without opening up this major security leak.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘Security issue’ is closed to new replies.