[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Wed Nov 11 18:54:15 UTC 2009


To do that, you would just want test.php to output a image/jpeg mim
header, followed by the jpeg binary data. No need for tricky clever
naming tricks.

I've been unable to get this to work on my local Apache install so
far. test.php.jpg doesn't execute. Does anybody know the config needed
to make this vulnerable?

-Otto
Sent from Memphis, TN, United States


On Wed, Nov 11, 2009 at 11:54 AM, Jeremy Clarke <jer at simianuprising.com> wrote:
> On Wed, Nov 11, 2009 at 12:48 PM, Otto <otto at ottodestruct.com> wrote:
>> This seems like an Apache configuration problem to me. There are no
>> circumstances I can think of where I'd want test.php.jpg to be
>> executed as PHP by Apache.
>
> I think the example would be if you were using php with GD or
> something to output images on the fly (maybe with a caching layer in
> the php). There must be some plugins out there that use this trick, I
> know i've seen it before. It might be that this should be the
> .htaccess hack and not the standard though.
>
> --
> Jeremy Clarke
> Code and Design | globalvoicesonline.org
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list