[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Otto
otto at ottodestruct.com
Wed Nov 11 19:58:05 UTC 2009
On Wed, Nov 11, 2009 at 1:53 PM, Thomas Scholz <info at toscho.de> wrote:
> Sometimes it can. Mediawiki uses FileInfo or mime_content_type() to check
> uploaded files.
> See:
> <http://www.mediawiki.org/wiki/Manual:Mime_type_detection>
> <http://www.php.net/manual/en/book.fileinfo.php>
> <http://www.php.net/manual/en/function.mime-content-type.php>
All of these are unreliable, at best. The fileinfo extension is
probably not installed, the mime-content-type is deprecated (and
straight up doesn't work as far as I can tell).
> The point is not trust the suffix only.
There is no trustworthy way to determine file type, period. So it's a
matter of choosing what you want to use, all methods have drawbacks.
Filename suffix is the most common and most well understood.
>> The actual vulnerability is in Apache with the MultiViews option enabled.
>
> In Apache it’s a feature. The server doesn’t know if you want this effect.
Still can't get this to work, BTW. I enabled MultiViews. No change,
the PHP does not execute.
What else are the preconditions to make this thing vulnerable?
-Otto
Sent from Memphis, TN, United States
More information about the wp-hackers
mailing list