[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Thomas Scholz info at toscho.de
Wed Nov 11 19:53:32 UTC 2009


Otto:

> Well, that's kinda my point. I don't see it as a bug in WP. If you
> upload a file named test.php.jpg, then WordPress is going to treat it
> as a JPG file. It can't magically tell that the actual content of the
> file is not a JPG.

Sometimes it can. Mediawiki uses FileInfo or mime_content_type() to check  
uploaded files.
See:
<http://www.mediawiki.org/wiki/Manual:Mime_type_detection>
<http://www.php.net/manual/en/book.fileinfo.php>
<http://www.php.net/manual/en/function.mime-content-type.php>

> I don't think there's any bug to fix, as this is not a
> WordPress-specific vulnerability. It's a generic vulnerability to any
> software which allows you to upload files to a server and uses the
> filename to differentiate between them.

The point is not trust the suffix only.

> The actual vulnerability is in Apache with the MultiViews option enabled.

In Apache it’s a feature. The server doesn’t know if you want this effect.

Thomas

-- 
Redaktion, Druck- und Webdesign
http://toscho.de · 0160/1764727
Twitter: @toscho


More information about the wp-hackers mailing list