"It's possible for malicious users of one site to access protected files of multisite installations if they are given the ability to run PHP code. For example, the normally protected settings.php file (which hides confidential database access information) of one multisite could be accessible by another by running the following PHP snippet:"