[wp-trac] [WordPress Trac] #17969: Code Execution vulnerability in WordPress
WordPress Trac
wp-trac at lists.automattic.com
Sun Jul 3 14:52:19 UTC 2011
#17969: Code Execution vulnerability in WordPress
--------------------------+-----------------------------
Reporter: macbroadcast | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.2
Severity: critical | Keywords: needs-patch
--------------------------+-----------------------------
An attacker was able to upload a “directory”within the wordpress directory
and i found out that the “contact form”module might cause the problem
because i allways found a “wpcf7_captcha”directory in my upload folder ,so
i removed the module ,set new passwords for worpress and all went fine for
a day.
Today i received another mail from rsa.com that the same script is still
on my site just in a “theme”folder.
http://let.de/wp-
content/themes/twentyten/www1.royalbank.com/index.html
It seems the attacker found a vulnerabilty in wordpress so i removed the
used theme and directory.
SecurityVulns ID:11622.
Affected products:
Vulnerable are versions WordPress 2.5 –3.1.1. The new version 3.1.2
which released at 26th of April just after my disclosure also must be
vulnerable. The attack via double extension will work at Apache with
appropriate configuration.
———- Details:———-
Code Execution (WASC-31) attack is possible in WordPress via uploader.
The attack can be conducted by users with roles Author,Editor and
Administrator. In WordPress 2.5 –2.8.4 it’s possible to upload php scripts
(1.php) in Media Library. In 2.5 –2.7.1 the attack is possible only for
Administrator. For Author and Editor it’s not possible to upload 1.php,nor
attack will work via double extensions. In version 2.8.5 it was prohibited
also for Administrator. And even in 2.8 –2.8.5 for Author and Editor (and
for Administrator in 2.8.5) it’s impossible to upload 1.php,but it’s
possible to upload 1.php.txt. At that in WP 2.0 –2.0.11 (where there were
no Media Library) for all roles were prohibited to upload files with php
extension (and bypassing method didn’t work). As in versions 2.1.x,2.2.x
and 2.3.x. Only in WordPress 2.2 (http://websecurity.com.ua/1276/)
Alexander Concha found vulnerability,which allowed to upload files with
php extension. In version 2.8.6 and higher it’s already prohibited. The
attack via double extensions (1.php.txt and 1.asp;.txt) will not work,but
it’s possible to use 1.phtml.txt (for all three roles) to execute code.
————Timeline:————
2011.04.26 –disclosed at my site. As I already wrote many times to
security mailing lists
(http://www.securityfocus.com/archive/1/510274),starting from 2008 I never
more inform WP developers about vulnerabilities in WordPress. I mentioned
about these vulnerabilities at my site (http://websecurity.com.ua/5108/).
Best wishes ®ards,MustLive Administrator of Websecurity web site
http://websecurity.com.ua
more at
http://let.de/index.php/code-execution-vulnerability-in-wordpress/
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17969>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list