WordPress.org

Support

Support » Requests and Feedback » security problem

security problem

  • I installed a nightly build this morning, and just got around to messing with it.
    One thing I’ve always had trouble with was how the wordpress templating system allows code access to the blogger.
    For instance, on a multi-user site, where the user may be relatively anonymous, it’s not advisable to allow the user to put, say
    <?php include('/etc/passwd');include('/etc/shadow'); ?>
    into their template.
    While most systems do run Apache under a httpd user, there may be some people out there running it under root, allowing this to be exploited.
    Besides, this may be used to do other stuff – such as maybe:
    <?=htmlspecialchars(join('',file('wp-config.php')));?>
    That, on my own system, outputs the database username and password to the screen…
    Don’t know if that’s even something to worry about, but definitely something to think about.
    Kae

Viewing 1 replies (of 1 total)
  • NuclearMoose

    @nuclearmoose

    Here is a listing of many discussions about security. Security is a concern for everyone, and the developers are totally aware of this. Others have raised the very issue that you just did. Check out the threads in the above list to see the various responses to security questions.

Viewing 1 replies (of 1 total)
  • The topic ‘security problem’ is closed to new replies.