Opened 13 years ago
Closed 13 years ago
#1879 closed defect (bug) (fixed)
bbPress 2.1 RC4 - Import Forums Database fields should not be pre-populated. Security Concern.
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 2.1 | Priority: | high |
Severity: | major | Version: | 2.0 |
Component: | API - Importers | Keywords: | has-patch |
Cc: | Omicron7 |
Description
The Database fields on the Tools - Forums - Import Forums page should not be pre-populated with the WordPress database connection information. Even though the password field was masked in #1858, the database password is still stored in plaintext in the source. This presents a security risk by disclosing the WordPress database connection information.
This is probably more of an issue in a multisite environment where individual blog admins could get the database connection information for the WordPress Network.
I would recommend leaving these fields blank and possibly adding a note that the connection information, if needed and not know, is in the wp-config.php file.
Removes pre-populated DB User, Password and Name