7f49f6e2d6
* Create rule S6346 * Add description * Type and title * Address review comments Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
32 lines
1.3 KiB
Plaintext
32 lines
1.3 KiB
Plaintext
WordPress has a database repair and optimization mode that can be activated by setting `WP_ALLOW_REPAIR` to `true` in the configuration.
|
|
|
|
If activated, the repair page can be accessed by any user, authenticated or not. This makes sense because if the database is corrupted, the authentication mechanism might not work.
|
|
|
|
Malicious users could trigger this potentially costly operation repeatadly slowing down the website, and making it unavailable.
|
|
|
|
== Ask Yourself Whether
|
|
* The database is not currently corrupted.
|
|
|
|
There is a risk if you answered yes to this question.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
It's recommended to enable automatic database repair mode only in case of database corruption. This feature should be deactivated again when the database issue is resolved.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
define( 'WP_ALLOW_REPAIR', true ); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
// The default value is false, so the value does not have to be expilicitly set.
|
|
define( 'WP_ALLOW_REPAIR', false );
|
|
----
|
|
|
|
== See
|
|
|
|
* https://wordpress.org/support/article/editing-wp-config-php/#automatic-database-optimizing[wordpress.org] - Automatic Database Optimizing
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html[OWASP Top 10 2017 Category A6] - Security Misconfiguration |