Exposing MySQL connection details on error

  • Resolved pmq

    (@pmq)


    1 month, 3 weeks ago

    Hello

    While configuring new install of NinjaFirewall there was a short outage of MySQL server. During this time an error was displayed with almost all (some were long then shortened) details for MySQL connection (host, database, user and PASSWORD) in clear text!

    I’ve never seen such an error message in WordPress itself, so I assume it may be NinjaFirewall’s fault. I didn’t manage to take a screenshot, because it was more important for me to quickly block the service (so that no one intercepts this data).

    Do you know of such a problem and how to protect yourself against it?

    Regards
    Pawel

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    That isn’t due to NinjaFirewall, but to the fact that you have the display_errors directive enabled in your PHP configuration. As per the PHP documentation (https://www.php.net/manual/en/language.errors.basics.php):

    This should always be disabled in a production environment, as it can include confidential information such as database passwords

    Simply turn it off.

    Thread Starter pmq

    (@pmq)

    I rent a server from a professional data center, with administration. And indeed display_errors was on ??
    Anyway NinjaFirewall would warn about this setting since it’s a security plugin.

    Thanks for the tip: an IT specialist, like a doctor, learns all his life…

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Tags