[Plugin: WP Security Scan] Bug: Database Security – database.php | ww.wp.xz.cn

KrX
(@krx)

16 years, 11 months ago

Bug 1. Function where wp-config.php gets changed.
Function will replace <b>all</b> instances of $GLOBALS[‘table_prefix’], even if value it is replacing is not $table_prefix = ‘foobar’;
e.g. New prefix: “foo”. If the username is <i>define(‘DB_USER’, ‘wp_’);</i> (happens to be <i>wp_</i>), the username will also be changed to “foo”.
(Line 141 of database.php)
Suggestion: make criteria for <i>str_replace</i> include: <i>$table_prefix = ‘</i> and <i>’;</i> like:
$table_prefix = ‘kwapc_’;
$line = str_replace(“$table_prefix = ‘”.$GLOBALS[‘table_prefix’].”‘;”, “$table_prefix = ‘”.$newpref.”‘;”, $line);

Bug 2. MySQL: Table wp_usermeta’s whose meta_key value == “wp_capabilities” and “wp_metaboxorder_dashboard” do not get changed into the new prefix values.
This causes WordPress to output errors like “You do not have sufficient permissions to access this page.”, especially in administration pages.

Viewing 1 replies (of 1 total)

erigami
(@erigami)

16 years, 7 months ago

Uh, can you explain a little bit more about Bug 2? I maintain a plugin that is apparently causing its users problems with a “You do not have sufficient permissions to access this page.” message. One of my users pointed me here and I’m curious what the implications of #2 are.

Thanks,
e

Viewing 1 replies (of 1 total)

The topic ‘[Plugin: WP Security Scan] Bug: Database Security – database.php’ is closed to new replies.

In: Requests and Feedback
1 reply
2 participants
Last reply from: erigami
Last activity: 16 years, 7 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics