#9529 closed defect (bug) (invalid)
wp-config.php created with global write privs
Reported by: | jonasc | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
wp-config.php is created with global read and write privileges when running through the install process.
- Using Wordpress 2.7.1 (as downloaded from wordpress.org on Apr. 13)
- Installing to a Linux server with PHP 5.2.4 installed as an fcgi
- choosing to have the install process create a wp_config.php file for me (as opposed to uploading a custom one)
ls -lah wp/wp-config.php -rw-rw-rw- 1 web web 2.5K Apr 13 12:10 wp/wp-config.php
I'd suggest slightly stricter permissions by default :)
Change History (2)
Note: See
TracTickets for help on using
tickets.
If the file is owned by the www user, anything short of those privileges will prevent end users from deleting or overwriting the file.