Support » Requests and Feedback » Security issue when mysql is in trouble

  • Resolved mailcatala

    (@mailcatala)


    The credentials to connect to the database in any WP installation are among the most important information to keep as secure as possible.
    Which is why I would like to bring to your attention an error message that reads “Can’t select database” in which two pieces of information are given away: the username to connect to the database and the name of the database itself.
    The message “Does the user %dbuser% has permission to access the %database% database?” should change to something more generic.

Viewing 8 replies - 1 through 8 (of 8 total)
  • esmi

    (@esmi)

    Forum Moderator

    Since the db user’s password is not displayed, why is this an issue?

    @esmi Seriously?

    @esmi Seriously? Seeing as that’s not an issue, feel free to share the username and database name you use for blackwidow.co.uk

    esmi

    (@esmi)

    Forum Moderator

    I completed the WP install many, many, years ago. The only time that message is displayed is when you, the site owner/admin are actively installing WP. If you walk away before WP is fully installed and allow anyone to try & run install.php, surely that’s a bigger issue?

    Moderator Steve Stern

    (@sterndata)

    1. Please don’t start duplicate posts.

    2. If you’d like to make the case to change this behavior, please file a ticket with https://core.trac.wordpress.org/

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    @mailcatala Also? Do not resort to name calling again as you did with your deleted topic.

    You can disagree with people reasonably but name calling is not long tolerated here.

    The message “Does the user %dbuser% has permission to access the %database% database?” should change to something more generic.

    You’re concerned about data leakage but leaking the DB user ID and database name is less of an issue than informing the user that the credentials are wrong. Your (incorrect) database password is not displayed.

    *Drinks coffee, coffee is good*

    Steve’s suggestion really is best. If you feel strongly about it (and I think that’s valid) then why not submit a patch that removes from the error message the parts you think are not wise?

    It will get reviewed and if there is a consensus then your patch will get rolled into WordPress.

    @jdembowski It is not the case of an incorrect password (talk about name calling!) but a plugin (Yoast SEO) stressing the db server, bringing it to an idle state and causing that error message.
    My point is that this information can be leveraged by an attacker. WordPress accounts for a huge number of installations out there and the fact that Auttomatic acquired WooCommerce (in a move to compete with PrestaShop) makes it much more important that we take special care not disclosing a single piece of the configuration (i.e. never use root, name your db different, demote admin user, etc).
    If nobody sees an issue revealing the dbuser and dbname, fine.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    If nobody sees an issue revealing the dbuser and dbname, fine.

    That’s not what was said, you resorted to name calling, you need to cut that out now.

    If you feel strongly about it then consider producing a patch and submitting it.

    https://core.trac.wordpress.org/

    If you don’t want to do so that’s fine too.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.