WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#9529 closed defect (bug) (invalid)

wp-config.php created with global write privs

Reported by: jonasc Owned by: ryan
Milestone: Priority: normal
Severity: major Version:
Component: Security Keywords:
Focuses: Cc:

Description

wp-config.php is created with global read and write privileges when running through the install process.

  • Using Wordpress 2.7.1 (as downloaded from wordpress.org on Apr. 13)
  • Installing to a Linux server with PHP 5.2.4 installed as an fcgi
  • choosing to have the install process create a wp_config.php file for me (as opposed to uploading a custom one)
ls -lah wp/wp-config.php 
-rw-rw-rw- 1 web web 2.5K Apr 13 12:10 wp/wp-config.php

I'd suggest slightly stricter permissions by default :)

Change History (2)

comment:1 @Denis-de-Bernardy6 years ago

  • Resolution set to invalid
  • Status changed from new to closed

If the file is owned by the www user, anything short of those privileges will prevent end users from deleting or overwriting the file.

comment:2 @Denis-de-Bernardy6 years ago

  • Milestone Unassigned deleted
Note: See TracTickets for help on using tickets.