If you’re on a shared hosting server, you should be extremely careful to apply the correct permissions to your configuration files. Failure to do so, can leave them open to viewing by other users on the server. It’s then a trivial matter for the user to connect to the database server and modify posts. steal customer data and so on.
This problem isn’t new, but with more people relying on CMS systems such as WordPress, which use a standard config file, it’s a growing danger.
Your config file should have it’s permissions set to 600 to prevent other users on your server from reading the config file.
I’ve put together a proof of concept script which automatically searches for WordPress, Joomla, Drupal and any other Generic config files and allows you to view them.
Note: It may be illegal to read other users config files, connect to their database and insert hidden links into their old WordPress posts. As such, only use this script on a server which is used exclusively to host your own websites.
Download: Insecure-Config-Search.php
Usage: Upload to your server and visit the script in your web browser. No config required!
No comments:
Post a Comment