[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Lynne Pope lynne.pope at gmail.com
Wed Nov 11 19:57:34 UTC 2009

2009/11/12 Otto <otto at ottodestruct.com>

> Well, that's kinda my point. I don't see it as a bug in WP. If you
> upload a file named test.php.jpg, then WordPress is going to treat it
> as a JPG file. It can't magically tell that the actual content of the
> file is not a JPG.

It's a trivial matter for WordPress to ensure that the file has only the JPG
extension though.

> I don't think there's any bug to fix, as this is not a
> WordPress-specific vulnerability. It's a generic vulnerability to any
> software which allows you to upload files to a server and uses the
> filename to differentiate between them. The actual vulnerability is in
> Apache with the MultiViews option enabled.

You are right, its not a WordPress-specific vulnerability. However, I was
able to reproduce this on a shared server. The htaccess directive stops it
cold but for the server it just worked on the host is one that has thousands
of accounts. Perhaps hosts are not as smart as we think they are?

This exploit is in the wild now and it won't matter to users whether the
host configuration is poor or not - they will just see WordPress being

I think its worth fixing.


More information about the wp-hackers mailing list