[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Wed Nov 11 17:37:40 UTC 2009


This will work for mod_php based installs but what about sites hosted  
on shared servers?  Most shared servers rely on FastCGI/suPHP for  
security.  I've tried php_admin_flag and php_flag in .htaccess and  
they both produce config errors.

Any suggestions would be warmly received.

Dave Jones
www.technicacreative.co.uk


On 11 Nov 2009, at 17:23, Jeremy Clarke wrote:

> .htaccess idea sounds really lightweight and nice. A related solution
> is to turn off PHP execution in the apache config for your server (if
> you have access) for any directories that are writable. At one point
> attackers had uploaded php files without any .php extension in them
> and were managing to load them, but this stopped it.
>
> 	# Cache dir
> 	<Directory /var/www/path_to_site/wp-content/cache>
> 		AllowOverride None
> 		php_admin_flag engine off
> 		php_admin_value open_basedir none
> 	</Directory>
> 	# media upload dir
> 	<Directory /var/www/path_to_site/wp-content/uploads>
> 		AllowOverride None
> 		php_admin_flag engine off
> 		php_admin_value open_basedir none
> 	</Directory>
>
> It leaves room for other types of code if your server is configured to
> run them though.
>
>
> --
> Jeremy Clarke | http://jeremyclarke.org
> Code and Design | http://globalvoicesonline.org
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list