Network Solutions is reported to have deployed a fix for a configuration flaw that led to hundreds of WordPress blogs being compromised. The fix involved changing passwords for the WordPress databases hosted on its systems. It recommended that all customers using WordPress should log into their accounts to change their administrative passwords.
WordPress developers have made a statement that configuration parameters are the users’ responsibility, or the responsibility of automated installation scripts that might be run by a hosting company.
“A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.”