setup-config.php is tainted by request data
|Reported by:||hakre||Owned by:||ryan|
just stumbeled over it and think this should be prevented: setup-config.php uses relative include pathes. those can be manipulated by adding an additional slash after .php in the requests URL:
relative file pathes should be based on ABSPATH which is defined there as well.
Change History (12)
- Priority changed from normal to lowest
- Severity changed from normal to minor