Database info stored as PHP constant, potential security risk

  • Resolved User Removed

    (@kjmeath)


    14 years, 5 months ago

    Any admin user could var_dump them in a theme template file…isnt this be a potential security?

    It makes sense that the initial admin user account that setup the WP install can have access to these constants, being that they entered this information into the installer…but any other admin user account (that is not uid #1) doesn’t need really need access to these.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Anonymous User

    (@anonymized-3085)

    If you are worried about admins then they shouldn’t be admins. They could do a lot more damage than just doing a var_dump.

    Thread Starter User Removed

    (@kjmeath)

    I understand that, but this is beyond the realm of the wp installation. This is giving people access to the database information, when there in no need for them to be able to access it.

    Anonymous User

    (@anonymized-3085)

    well deny them access from editing any file via WordPress, either with a role permission plugin, or by simply changing the chmod on those files.

    Thread Starter User Removed

    (@kjmeath)

    already doing that in functions.php

    add_action('admin_head', 'removeThemeEditor');
function removeThemeEditor() {
    global $submenu;
    if( $submenu['themes.php'] )
    foreach($submenu['themes.php'] as $id => $editorPage ){
        if($editorPage[2] == 'theme-editor.php') unset($submenu['themes.php'][$id]);
    }
}

    I hope WP decides to fix this in the future

    Anonymous User

    (@anonymized-3085)

    If you feel it to be a security issue then email [email protected]

    Thread Starter User Removed

    (@kjmeath)

    Will do, cheers!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Database info stored as PHP constant, potential security risk’ is closed to new replies.