[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Ken Newman Ken at adcSTUDIO.com
Wed Nov 11 19:37:21 UTC 2009

I tried to test it, but it crashed the flash uploader. It reset to 
crunching 0% and stalled.

On 11/11/2009 2:33 PM, Aaron D. Campbell wrote:
> I haven't been able to duplicate this on any of my servers either.  I 
> did find that different browsers display my "vuln-test.php.jpg" 
> differently.
> Firefox shows the path to the file such as 
> "http://example.com/wp-content/uploads/2009/10/vuln-test.php.jpg"
> IE 8 shows the contents of the file such as "<?php phpinfo(); ?>"
> Opera and Safari both show it like a broken image
> Otto wrote:
>> To do that, you would just want test.php to output a image/jpeg mim
>> header, followed by the jpeg binary data. No need for tricky clever
>> naming tricks.
>> I've been unable to get this to work on my local Apache install so
>> far. test.php.jpg doesn't execute. Does anybody know the config needed
>> to make this vulnerable?
>> -Otto
>> Sent from Memphis, TN, United States
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list