[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Wed Nov 11 17:48:24 UTC 2009


This seems like an Apache configuration problem to me. There are no
circumstances I can think of where I'd want test.php.jpg to be
executed as PHP by Apache.

A suggestion of an Apache configuration to disallow this type of thing
in the first place would be more helpful than resorting to .htaccess
hacks.

-Otto



On Wed, Nov 11, 2009 at 11:08 AM, Dawid Golunski <golunski at onet.eu> wrote:
> The execution of the PHP code despite the .php.jpg extension is possible
> because Apache
> allows for multiple extensions. Here is a quote from Apache docs regarding
> this matter:
>
> "
> Files can have more than one extension, and the order of the extensions is
> normally irrelevant.
> For example, if the file welcome.html.fr maps onto content type text/html
> and language French then
> the file welcome.fr.html will map onto exactly the same information. If more
> than one extension is
> given that maps onto the same type of meta-information, then the one to the
> right will be used,
> except for languages and content encodings. For example, if .gif maps to the
> MIME-type  image/gif
> and .html maps to the MIME-type text/html, then the file welcome.gif.html
> will be associated with
> the MIME-type text/html.
>
> Care should be taken when a file with multiple extensions gets associated
> with both a MIME-type
> and a handler. This will usually result in the request being handled by the
> module associated with
> the handler. For example, if the .imap  extension is mapped to the handler
> imap-file
> (from mod_imagemap) and the .html extension is mapped to the MIME-type
> text/html, then the file
> world.imap.html will be associated with both the imap-file handler and
> text/html MIME-type.
> When it is processed, the imap-file handler will be used, and so it will be
> treated as a
> mod_imagemap imagemap file.
> "
>
> IV. PROOF OF CONCEPT
> -------------------------
> Browser is enough to replicate this issue. Simply log in to your wordpress
> blog as a low privileged
> user or admin. Create a new post and use the media file upload feature to
> upload a file:
>
> test-image.php.jpg
>
> containing the following code:
>
> <?php
>        phpinfo();
> ?>
>
> After the upload you should receive a positive response saying:
>
> test-vuln.php.jpg
> image/jpeg
> 2009-11-11
>
> and it should be possible to request the uploaded file via a link:
> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>
> thus executing the PHP code it contains.


More information about the wp-hackers mailing list