Support » Networking WordPress » Security issue

  • The way WPMU is set up, all of the wordpress sites are in the same database but with different tables.

    If a user is admin of his site but not super admin, he can still execute code on his site like

    <?php
    echo "pass: ".DB_PASSWORD."<br />";
    echo "name: ".DB_NAME."<br />";
    echo "user: ".DB_USER."<br />";
    echo "host: ".DB_HOST."<br />";
    ?>

    and get the database password and have access to modify sites other than his own. It’s locked down so users can’t add their own themes or plugins, so that takes care of adding PHP cose that way. But some themes like Atahualpa allow you add your own html, javascript, php to the page, thus once again allowing users to execute malicious code.

    I want to run a WMPU site and give my users the ability to customize their themes, but there doesn’t seem to be a way to allow customization on the html level without opening up this major security leak.

Viewing 1 replies (of 1 total)
  • But some themes like Atahualpa allow you add your own html, javascript, php to the page, thus once again allowing users to execute malicious code.

    Then I would not install that theme.

    If you’re opening your site to public signups, then it’s *your* responsibility to make sure you haven’t install themes or plugins the users can take advantage of.

    there’s plenty of themes out there that don’t allow it. Plenty of sites running quite securely – in fact, I’ve always found the network area & MU to be *more* secure, not less.

    the best thing to do would be to notify the theme developer so he can fix the theme so only site admins have access to certain areas.

Viewing 1 replies (of 1 total)
  • The topic ‘Security issue’ is closed to new replies.