[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Jeremy Clarke jer at simianuprising.com
Wed Nov 11 17:54:27 UTC 2009

On Wed, Nov 11, 2009 at 12:48 PM, Otto <otto at ottodestruct.com> wrote:
> This seems like an Apache configuration problem to me. There are no
> circumstances I can think of where I'd want test.php.jpg to be
> executed as PHP by Apache.

I think the example would be if you were using php with GD or
something to output images on the fly (maybe with a caching layer in
the php). There must be some plugins out there that use this trick, I
know i've seen it before. It might be that this should be the
.htaccess hack and not the standard though.

Jeremy Clarke
Code and Design | globalvoicesonline.org

More information about the wp-hackers mailing list