[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
ceo at kettlewell.net
Wed Nov 11 18:06:25 UTC 2009
Would be interesting to see how many servers in the wild have Apache
configured to allow this sort of thing..... I suspect that most advanced
users know better and how to config for changes, but would a big hosting
company leave something like this open to reduce support calls to turn it
on, or out of ignorance?
On Wed, Nov 11, 2009 at 11:00 AM, Dave Jones <dave at technicacreative.co.uk>wrote:
> I was testing test.php - I have to agree with Otto on none of my servers
> does test.php.jpg return anything but an empty image.
> Looks like this is a false alarm.
> Dave Jones
> On 11 Nov 2009, at 17:48, Otto wrote:
> This seems like an Apache configuration problem to me. There are no
>> circumstances I can think of where I'd want test.php.jpg to be
>> executed as PHP by Apache.
>> A suggestion of an Apache configuration to disallow this type of thing
>> in the first place would be more helpful than resorting to .htaccess
>> On Wed, Nov 11, 2009 at 11:08 AM, Dawid Golunski <golunski at onet.eu>
>>> The execution of the PHP code despite the .php.jpg extension is possible
>>> because Apache
>>> allows for multiple extensions. Here is a quote from Apache docs
>>> this matter:
>>> Files can have more than one extension, and the order of the extensions
>>> normally irrelevant.
>>> For example, if the file welcome.html.fr maps onto content type
>>> and language French then
>>> the file welcome.fr.html will map onto exactly the same information. If
>>> than one extension is
>>> given that maps onto the same type of meta-information, then the one to
>>> right will be used,
>>> except for languages and content encodings. For example, if .gif maps to
>>> MIME-type image/gif
>>> and .html maps to the MIME-type text/html, then the file welcome.gif.html
>>> will be associated with
>>> the MIME-type text/html.
>>> Care should be taken when a file with multiple extensions gets associated
>>> with both a MIME-type
>>> and a handler. This will usually result in the request being handled by
>>> module associated with
>>> the handler. For example, if the .imap extension is mapped to the
>>> (from mod_imagemap) and the .html extension is mapped to the MIME-type
>>> text/html, then the file
>>> world.imap.html will be associated with both the imap-file handler and
>>> text/html MIME-type.
>>> When it is processed, the imap-file handler will be used, and so it will
>>> treated as a
>>> mod_imagemap imagemap file.
>>> IV. PROOF OF CONCEPT
>>> Browser is enough to replicate this issue. Simply log in to your
>>> blog as a low privileged
>>> user or admin. Create a new post and use the media file upload feature to
>>> upload a file:
>>> containing the following code:
>>> After the upload you should receive a positive response saying:
>>> and it should be possible to request the uploaded file via a link:
>>> thus executing the PHP code it contains.
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers