Webhosting Companies And Security Related Attacks

**Jeffro** · 04-12-2010, 03:26 PM

I just double checked wp-config.php for WPTavern.com and yes, the permissions are set to 0644. Phew :)

**Ipstenu** · 04-12-2010, 03:27 PM

So the speculation that if you're on a server where some idiot has set their config file to 755, the whole server is endangered is BS?

(and of course I checked mine too ;) )

**chipbennett** · 04-12-2010, 03:33 PM

Originally Posted by Jeffro

ZDNet is reporting on the security lapse and based on the info they gathered from two other places, the culprit appears to be database credentials stored in plain text in wp-config.php with incorrect permissions set.

http://blogs.zdnet.com/security/?p=6111

Veeeeerrrrry interesting...

How about a big, annoying, nag banner on the back-end that is visible anytime wp-config.php file permissions are set to anything unsafe?

(I'm envisioning a plug-in here. I need to look into how to display - and edit - file permissions from an options page in the back-end. Do any other plugins do this?)

**Ipstenu** · 04-12-2010, 03:59 PM

(I'm envisioning a plug-in here. I need to look into how to display - and edit - file permissions from an options page in the back-end. Do any other plugins do this?)

WP Super Cache does this. I'm sure others do, too, but I'm familiar with that one having the nag screen.

**chipbennett** · 04-12-2010, 04:00 PM

Originally Posted by Ipstenu

WP Super Cache does this. I'm sure others do, too, but I'm familiar with that one having the nag screen.

It nags on file permissions?

**Ipstenu** · 04-12-2010, 04:03 PM

Yeah. When you install it, it says 'Hey, the files aren't writeable. Do this.' You set 'em, it installs, then it says 'Hey, your files aren't secure! Do this!'

In each case, it gives you the exact chmod to run to fix the problem.

**chipbennett** · 04-12-2010, 04:13 PM

Originally Posted by Jeffro

I just double checked wp-config.php for WPTavern.com and yes, the permissions are set to 0644. Phew :)

Mine was also set to 644, but I changed it to 640, just to be extra-secure. :)

**andrea_r** · 04-12-2010, 05:09 PM

The wpmu installer has always nagged about the file permissions and given a reminder to set it back.

There was another article written that said the users involved had changed the permissions on the file themselves.

Edit: article here with some quotes from Barry. http://www.darkreading.com/database_...SSfeed_DR_News

Son of Edit: cracked a thousand posts, woot!

**Ryan** · 04-12-2010, 09:07 PM

Weird. I wouldn't have thought many people would have had their file permissions set like that.

**Ryan** · 04-12-2010, 09:17 PM

The researchers who discovered the attacks say a design flaw in the WordPress blogging platform was the underlying problem because by default it allows users to set up permissions that let anyone read their blog's wp-config.php file configuration files

Does this mean that they think that WordPress should not allow users to use a more permissive permissions setup than 644? ie: it should spit out an error when users set it to something higher?

What do other web softwares do? I assumed the way WordPress did it was a fairly standard par for the course approach to such things.

Thread: Webhosting Companies And Security Related Attacks

LinkBack

Thread Tools

Display

Posting Permissions