security problem
-
I installed a nightly build this morning, and just got around to messing with it.
One thing I’ve always had trouble with was how the wordpress templating system allows code access to the blogger.
For instance, on a multi-user site, where the user may be relatively anonymous, it’s not advisable to allow the user to put, say
<?php include('/etc/passwd');include('/etc/shadow'); ?>
into their template.
While most systems do run Apache under ahttpd
user, there may be some people out there running it underroot
, allowing this to be exploited.
Besides, this may be used to do other stuff – such as maybe:
<?=htmlspecialchars(join('',file('wp-config.php')));?>
That, on my own system, outputs the database username and password to the screen…
Don’t know if that’s even something to worry about, but definitely something to think about.
Kae
- The topic ‘security problem’ is closed to new replies.