[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Thu Nov 12 17:22:03 UTC 2009


That's a nice plain english summary of the issue.  Thanks.

Dave Jones
www.technicacreative.co.uk


On 12 Nov 2009, at 17:17, Otto wrote:

> That's the basic exploit, yes. Make a PHP file. Rename it to  
> whatever.php.jpg.
>
> WordPress will allow low-privilege users to upload this file through
> WordPress, as *.jpg is in the whitelist for those users.
>
> And apparently, some poorly configured Apache installations will let
> you request that file and have it actually run as PHP code. Which can
> provide a neat little backdoor into the system.
>
> To exploit it, you must have a login to the system, the system must
> allow you to upload files, and Apache must be configured using the
> older AddHandler directive instead of the latest PHP recommended
> method.
>
> -Otto
> Sent from Memphis, TN, United States
>
>
> On Thu, Nov 12, 2009 at 11:11 AM, Chris Jean <gaarai at gaarai.com>  
> wrote:
>> I've just caught wind of this issue. Can I get more details on how to
>> attempt the exploit? For example, if there is a file:  
>> exploit.php.jpg, do I
>> simply request that file via the browser or is there a trick to it?
>>
>> Chris Jean
>> http://gaarai.com/
>> @chrisjean
>>
>>
>>
>> Otto wrote:
>>>
>>> I just confirmed on my friend's vulnerable host that this code in  
>>> the
>>> .htaccess removed the vulnerability.
>>>
>>> RemoveHandler application/x-httpd-php .php
>>> <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
>>>   SetHandler application/x-httpd-php
>>> </FilesMatch>
>>> <FilesMatch "\.phps$">
>>>  SetHandler application/x-httpd-php-source
>>> </FilesMatch>
>>>
>>> -Otto
>>> Sent from Memphis, TN, United States
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list