[wp-testers] c99shell.php and uploading php files
Rick Beckman
rick.beckman at gmail.com
Fri Nov 3 00:12:11 GMT 2006
Using 2.0.5, I have had my whole hosting account wiped out twice via a user
being able to upload a script (commonly called c99shell.php) which is able
to do a number of malicious things. From what I have seen online via a few
Google searches, users are able to upload via the File Upload in the
Wordpress admin without logging in. However, I also noticed in my logs that
the user was toying around in the Wordpress theme editor, but I have no idea
what he was doing. And passwords were all changed between the site
defacings.
So, I'm just writing to confirm whether or not such a thing is possible (i.e.,
could WordPress be to blame?) and is there a way to forbid the uploading of
php files?
--
Rick Beckman
More information about the wp-testers
mailing list