Possible Security Threat?

**Jeffro** · 05-05-2009, 02:31 PM

Received this from Badcat today on Twitter and from the looks of it, seems like a serious flaw. Can anyone else confirm the validity or severity of it?

http://perishablepress.com/press/200...for-wordpress/

I'm in the IRC Dev chat to see what they say.

**andrea_r** · 05-05-2009, 03:26 PM

This has actually been present for a long, long time. remember Root? And pre-Habari days? This came up then.

In many other CMS installs, removed index-install.php is pretty much standard.

**Jeffro** · 05-05-2009, 08:05 PM

So are you saying that if install.php was removed, this probably would have kept anyone from reinstalling WordPress? If this is the case, how come WordPress does not warn people upon the end of installation to remove this file? I know Vbulltin does this and I think PHPbb does this as well. In fact, they won't let you into the administration area unless that file is deleted.

**itsananderson** · 05-05-2009, 08:38 PM

If you've already installed WordPress though, the install.php file won't let you install it again, so I don't see this as a huge security threat. Obviously it would be more secure if you removed the install.php file, but I suspect the instructions don't have you do this because it might make the install process too confusing or difficult for some people.

**Leland** · 05-05-2009, 08:43 PM

Well, I said this on Twitter too...but I know that Joomla pretty much cuts off access to everything (front-end and administration) until you've deleted the install directory, after the installation is over.

Can't really see how it could hurt to at least recommend deleting the install.php file after installing WordPress? Like it said in that Perishable Press post, it's not really needed after installation so I can't think of any reason why you'd still want it there.

**Jeffro** · 05-05-2009, 08:43 PM

but what if the database server crashed and when it came back online, your database was empty meaning you could install WordPress right away again. I think this is a fringe case but it shows that it's possible. So wouldn't removing install.php simply prevent this fringe case from happening?

**Brad** · 05-05-2009, 09:23 PM

At minimum, the instructions here should be updated.
http://codex.wordpress.org/Installin...Minute_Install

Deleting the file as a part of the install (similar to Joomla) would be best.

**chipbennett** · 05-05-2009, 10:41 PM

Originally Posted by Jeffro

but what if the database server crashed and when it came back online, your database was empty meaning you could install WordPress right away again. I think this is a fringe case but it shows that it's possible. So wouldn't removing install.php simply prevent this fringe case from happening?

But since everyone follows good practice, and maintains regular backups, wouldn't the best course of action be to restore the database from backup? ;)

**Jeffro** · 05-05-2009, 11:37 PM

Yes, but what if this happens at night and you don't get the chance to restore until a few hours after the site has been compromised. I know I'm bringing in quite a few What Ifs. I've been in the IRC room all day today and even some of the WordPress guys are stumped. I can't get a straight answer on whether removal of install.php would prevent this from happening, I also can't figure out if this is a security hazard or an obscure bug.

**Ryan** · 05-06-2009, 01:12 AM

It looks like a security hazard they've chosen to ignore since it is so unlikely to actually occur.

Mark Jaquith said in that post that he's never seen this happen before.

Thread: Possible Security Threat?

LinkBack

Thread Tools

Display

Possible Security Threat?

Posting Permissions