Skip to:

Opened 10 years ago

Closed 10 years ago

#1879 closed defect (bug) (fixed)

bbPress 2.1 RC4 - Import Forums Database fields should not be pre-populated. Security Concern.

Reported by: Omicron7 Owned by:
Milestone: 2.1 Priority: high
Severity: major Version: 2.0
Component: API - Importers Keywords: has-patch
Cc: Omicron7


The Database fields on the Tools - Forums - Import Forums page should not be pre-populated with the WordPress database connection information. Even though the password field was masked in #1858, the database password is still stored in plaintext in the source. This presents a security risk by disclosing the WordPress database connection information.

This is probably more of an issue in a multisite environment where individual blog admins could get the database connection information for the WordPress Network.

I would recommend leaving these fields blank and possibly adding a note that the connection information, if needed and not know, is in the wp-config.php file.

Attachments (1)

bbp-remove-dbpassword.diff (1.8 KB) - added by Omicron7 10 years ago.
Removes pre-populated DB User, Password and Name

Download all attachments as: .zip

Change History (3)

10 years ago

Removes pre-populated DB User, Password and Name

#1 @Omicron7
10 years ago

  • Cc Omicron7 added
  • Keywords has-patch added

#2 @johnjamesjacoby
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4047]) Converter:

  • Stop pre-loading database information in converter.
  • Originally to ease testing during 2.1 development.
  • Fixes #1879.
  • Props Omicron7.
Note: See TracTickets for help on using tickets.