ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6346/php/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

37 lines
1.6 KiB
Plaintext
Raw Permalink Blame History

WordPress has a database repair and optimization mode that can be activated by setting `WP_ALLOW_REPAIR` to `true` in the configuration.
If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the authentication mechanism might not work.
Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.
== Ask Yourself Whether
* The database is not currently corrupted.
There is a risk if you answered yes to this question.
== Recommended Secure Coding Practices
It's recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the database issue is resolved.
== Sensitive Code Example
[source,php]
----
define( 'WP_ALLOW_REPAIR', true ); // Sensitive
----
== Compliant Solution
[source,php]
----
// The default value is false, so the value does not have to be expilicitly set.
define( 'WP_ALLOW_REPAIR', false );
----
== See
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
Reference in New Issue View Git Blame Copy Permalink