Weekly Edition
Return to the Security page
| |||||||||||||
Security quotes of the week
Clearly, one MUST configure the webserver to NOT permit off-site access to
the credentials and configuration file: wp-config.php but I'll be darned if
I can see instructions on the WordPress site, showing a novice
administrator how to do this. In a shared hosting environment without
'root' level control, it is probably not even doable.
-- Russ
Herrold
Whenever possible, when the law is ambiguous or silent on the issue at bar,
the courts should let those who want to market new technologies carry the
burden of persuasion that a new exception to the broad rights enacted by
Congress should be established. That is especially so if that technology
poses grave dangers to the exclusive rights that Congress has given
copyright owners. Commercial exploiters of new technologies should be
required to convince Congress to sanction a new delivery system and/or
exempt it from copyright liability. That is what Congress intended.
-- Ralph Oman [PDF], former US Register of Copyrights (by way of
Techdirt)
Taking pictures in your private space may be embarrassing and may expose your mistress or illegal pot plants to the world, but as far as burglars go, it is irrelevant: they can tell easily whether your house is worth breaking into from the outside. And the idea that a bunch of dim-wit burglars are using poor quality 3D models to plan their heist wouldn't even fly as a movie plot.
-- Slashdot commenter kenorland
(Thanks to Paul Wise.)
This project strengthens the ludicrous idea in people's heads that photography is somehow a significant threat to safety or security. Photographic documentation is an extremely important part of modern democracy, and projects like these threaten the ability of people to take pictures.
When China starts looking like a Free Speech haven, something is really
wrong with the United States.
-- Nina
Paley (Also thanks to Paul Wise.)(Log in to post comments)
Security quotes of the week Posted Oct 4, 2012 15:50 UTC (Thu) by ftc (subscriber, #2378) [Link]
> Clearly, one MUST configure the webserver to NOT permit off-site
> access to the credentials and configuration file: wp-config.php
Why is that so?
wp-config.php looks like this:
<?php
I understand that nobody should be able to fetch this file as-is. However, on a standard setup, when a client requests wp-config.php via HTTP, the PHP parser just runs it, defines everything, and then does not return anything. The response is a text/html of length 0.
So what's the problem?
Security quotes of the week Posted Oct 4, 2012 19:08 UTC (Thu) by spender (subscriber, #23067) [Link]
It appears to me to just be a problem of muddy definitions. With the following:
webserver: the OS environment/filesystem/etc
it should make more sense (as it seems you agree). It's not clear that even access control could help however if a "plugin" is some kind of interpreted script, using the same interpreter (executing in the context of Apache via mod_php.so) that would be accessing wp-config.php normally. Control over the interpreter is pretty much game over.
-Brad
Security quotes of the week Posted Oct 4, 2012 20:59 UTC (Thu) by josh (subscriber, #17465) [Link]
Most PHP setups tend to leave the PHP files in the web root, with a configuration that says "run .php files via php rather than serving them". With a setup like that, it only takes one web server misconfiguration to cause the server to serve the file as text rather than running it.
A much better configuration would have all the PHP files outside the web root, where misconfigurations would fail closed by not serving them.
|
|||||||||||||