[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Robert Pendell shinji at elite-systems.org
Thu Nov 12 21:26:02 UTC 2009


Ok.  I'm curious here.  Does this only affect configurations that use php as
an Apache module?  That's what those instructions dictate.  Here is my
configuration and it isn't affected even with MultiViews on.  I am running
php as a fastcgi binary.

.htaccess:
AddHandler fastcgi-script fcg fcgi fpl
AddHandler php5-fastcgi .php
Action php5-fastcgi /php5-wrapper.fcgi




Robert Pendell
shinji at elite-systems.org
CAcert Assurer
"A perfect world is one of chaos."



On Thu, Nov 12, 2009 at 12:00 PM, Otto <otto at ottodestruct.com> wrote:

> Scratch that, I found a vulnerable host. Friend of mine has a shared
> hosting account which shows the issue.
>
> What's more, I figured out how to reproduce the problem. And it has
> nothing to do with MultiViews.
>
>
> If the host's configuration uses this (or similar), to tie PHP files
> to the PHP interpreter, then test.php.jpg is executable:
>
> AddHandler application/x-httpd-php .php
>
> If, instead, they use this (or similar):
>
> <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
>    SetHandler application/x-httpd-php
> </FilesMatch>
> <FilesMatch "\.phps$">
>   SetHandler application/x-httpd-php-source
> </FilesMatch>
>
> Then the server is safe from this type of attack.
>
> Step 15 here talks about this sort of thing:
> http://php.net/manual/en/install.unix.apache2.php
>
>
> -Otto
> Sent from Memphis, TN, United States
>
>
> On Thu, Nov 12, 2009 at 10:43 AM, Otto <otto at ottodestruct.com> wrote:
> > I don't have access to any hosts that have this issue. I tried the
> > ones I use, and have yet to find one that will execute *.php.jpg from
> > a web request.
> >
> > If it's an Apache problem, then somebody should be able to tell me how
> > to configure Apache to do it. I can't figure it out.
> >
> > I can confirm that simply turning on MultiViews doesn't create an
> > exploitable system. There's some more configuration to make it happen.
> >
> > A default Apache and PHP installation, with no extreme changes to
> > them, is NOT vulnerable.
> >
> > -Otto
> >
> >
> >
> > On Thu, Nov 12, 2009 at 10:40 AM, Ken Newman <Ken at adcstudio.com> wrote:
> >> I have replicated this behavior, as in executed info.php.jpg on a server
> >> running from a popular hosting company. (Is it appropriate to list hosts
> >> here?) I figured out which host to test from the previous message from
> Lynne
> >> Pope, :
> >>
> >> I just learned that Multiviews are enabled by default and that this is
> the
> >> config for WHM/cPanel servers.
> >>
> >> So I went to a client's site (one of our only clients with a cPanel
> host;
> >> going to switch them to our normal host soon.) and tested it. I was
> >> surprised that it worked on such a popular host.
> >>
> >> If you want to test this out, Dave Jones or Otto, you'll probably have
> to
> >> use a host with WHM/cPanel.
> >>
> >> On 11/12/2009 11:25 AM, Dave Jones wrote:
> >>>
> >>> I'm slightly confused since I thought the exploit allowed arbitrary
> >>> execution of PHP on the server.  This is much worse than a XSS
> Javascript
> >>> exploit since PHP could potentially send spam emails, execute a DDOS
> attack,
> >>> delete your public_html directory from the server or whatever.
> >>>
> >>> i have no doubt that fixing this exploit is a good thing, however I
> feel
> >>> it slightly misses the point.  That said, I have been unable to
> replicate
> >>> this exploit in the wild, even with Options +MultiVIews.
> >>>
> >>> This is clearly and Apache/mis-configuration issue and if fixed in WP
> will
> >>> remain unfixed in countless other web applications.  It would be far
> better
> >>> to ensure your host correctly configures Apache and doesn't leave
> security
> >>> holes in the server, or move to a host that does!
> >>>
> >>>
> >>> Dave Jones
> >>> www.technicacreative.co.uk
> >>>
> >>>
> >>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
> >>>
> >>>> Okay, good news, we've fixed the extension exploit and then will have
> to
> >>>> wait another 6 to 8 months while another XSS attack shows up about
> people
> >>>> adding images executing JavaScript on their servers (which isn't
> completely
> >>>> bad since most / all administrative tasks requires a nonce).
> >>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list