Security Issue?

  • Can this be done??

    if so wouldnt it be necessary to remove install.php after wp instal?
    would it affect updates?

    Step 1. Excessively access /wp-admin/install.php to get mysql server temperorily down because of too many parallel connections.

    Step 2. Because mysql sever is down, the install.php will no longer show “You appear to have already installed WordPress. To reinstall please clear your old database tables first”, but will respond like a new installation with a form to fill in domain and email, because the function is_blog_installed() in the source codes of install.php will return “FALSE” for its failure in accessing the database.

    Step 3. Fill the form with new domain and new email and try to update the database when mysql server has just recovered to work. If successful, they will get a new admin account sent to their email, all the internal links of my blog will become external links and they will steal lots of traffic and hardlinks. If not successful, my site will be still down.

    So, I should say I’m lucky that servage has a limitation in hits and my account won’t recover until tomorrow. This is a very dangerous security hack.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Simple answer NO.

    When the wpdb is loaded it checks that it can make a connection with the database. If this fails it calls the function wp_die() which will halt the script. The only way for you to carry out this hack would be either to modify the data travelling from the MySQL database or to in some way cause the database to shut down between the connection being made and wordpress requesting is_blog_installed().

    Having said that removing install.php after you have installed your blog might be a good idea and would improve the security of your blog.

    Thread Starter loller6661

    (@loller6661)

    ok thx for the feedback.

    Will it give issues when I upgrade the blog when having install.php removed?

    who cares, remove it. I remove it. always.

    even better for you maybe, just rename it.

    No it won’t affect upgrading your blog. install.php is only for creating a completely new copy of wordpress.

    Thread Starter loller6661

    (@loller6661)

    ok thanks guys

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security Issue?’ is closed to new replies.