[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Wed Nov 11 18:00:34 UTC 2009


I was testing test.php - I have to agree with Otto on none of my  
servers does test.php.jpg return anything but an empty image.

Looks like this is a false alarm.

Dave Jones
www.technicacreative.co.uk


On 11 Nov 2009, at 17:48, Otto wrote:

> This seems like an Apache configuration problem to me. There are no
> circumstances I can think of where I'd want test.php.jpg to be
> executed as PHP by Apache.
>
> A suggestion of an Apache configuration to disallow this type of thing
> in the first place would be more helpful than resorting to .htaccess
> hacks.
>
> -Otto
>
>
>
> On Wed, Nov 11, 2009 at 11:08 AM, Dawid Golunski <golunski at onet.eu>  
> wrote:
>> The execution of the PHP code despite the .php.jpg extension is  
>> possible
>> because Apache
>> allows for multiple extensions. Here is a quote from Apache docs  
>> regarding
>> this matter:
>>
>> "
>> Files can have more than one extension, and the order of the  
>> extensions is
>> normally irrelevant.
>> For example, if the file welcome.html.fr maps onto content type  
>> text/html
>> and language French then
>> the file welcome.fr.html will map onto exactly the same  
>> information. If more
>> than one extension is
>> given that maps onto the same type of meta-information, then the  
>> one to the
>> right will be used,
>> except for languages and content encodings. For example, if .gif  
>> maps to the
>> MIME-type  image/gif
>> and .html maps to the MIME-type text/html, then the file  
>> welcome.gif.html
>> will be associated with
>> the MIME-type text/html.
>>
>> Care should be taken when a file with multiple extensions gets  
>> associated
>> with both a MIME-type
>> and a handler. This will usually result in the request being  
>> handled by the
>> module associated with
>> the handler. For example, if the .imap  extension is mapped to the  
>> handler
>> imap-file
>> (from mod_imagemap) and the .html extension is mapped to the MIME- 
>> type
>> text/html, then the file
>> world.imap.html will be associated with both the imap-file handler  
>> and
>> text/html MIME-type.
>> When it is processed, the imap-file handler will be used, and so it  
>> will be
>> treated as a
>> mod_imagemap imagemap file.
>> "
>>
>> IV. PROOF OF CONCEPT
>> -------------------------
>> Browser is enough to replicate this issue. Simply log in to your  
>> wordpress
>> blog as a low privileged
>> user or admin. Create a new post and use the media file upload  
>> feature to
>> upload a file:
>>
>> test-image.php.jpg
>>
>> containing the following code:
>>
>> <?php
>>        phpinfo();
>> ?>
>>
>> After the upload you should receive a positive response saying:
>>
>> test-vuln.php.jpg
>> image/jpeg
>> 2009-11-11
>>
>> and it should be possible to request the uploaded file via a link:
>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>>
>> thus executing the PHP code it contains.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list