| |||||||||||||
Security quotes of the weekSecurity quotes of the weekPosted Oct 4, 2012 15:50 UTC (Thu) by ftc (subscriber, #2378)Parent article: Security quotes of the week
> Clearly, one MUST configure the webserver to NOT permit off-site
> access to the credentials and configuration file: wp-config.php
Why is that so?
wp-config.php looks like this:
<?php
I understand that nobody should be able to fetch this file as-is. However, on a standard setup, when a client requests wp-config.php via HTTP, the PHP parser just runs it, defines everything, and then does not return anything. The response is a text/html of length 0.
So what's the problem?
(Log in to post comments)
Security quotes of the week Posted Oct 4, 2012 19:08 UTC (Thu) by spender (subscriber, #23067) [Link]
It appears to me to just be a problem of muddy definitions. With the following:
webserver: the OS environment/filesystem/etc
it should make more sense (as it seems you agree). It's not clear that even access control could help however if a "plugin" is some kind of interpreted script, using the same interpreter (executing in the context of Apache via mod_php.so) that would be accessing wp-config.php normally. Control over the interpreter is pretty much game over.
-Brad
Security quotes of the week Posted Oct 4, 2012 20:59 UTC (Thu) by josh (subscriber, #17465) [Link]
Most PHP setups tend to leave the PHP files in the web root, with a configuration that says "run .php files via php rather than serving them". With a setup like that, it only takes one web server misconfiguration to cause the server to serve the file as text rather than running it.
A much better configuration would have all the PHP files outside the web root, where misconfigurations would fail closed by not serving them.
|
|||||||||||||