[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Aaron D. Campbell aaron at xavisys.com
Wed Nov 11 19:33:14 UTC 2009


I haven't been able to duplicate this on any of my servers either.  I 
did find that different browsers display my "vuln-test.php.jpg" differently.

Firefox shows the path to the file such as 
"http://example.com/wp-content/uploads/2009/10/vuln-test.php.jpg"
IE 8 shows the contents of the file such as "<?php phpinfo(); ?>"
Opera and Safari both show it like a broken image


Otto wrote:
> To do that, you would just want test.php to output a image/jpeg mim
> header, followed by the jpeg binary data. No need for tricky clever
> naming tricks.
>
> I've been unable to get this to work on my local Apache install so
> far. test.php.jpg doesn't execute. Does anybody know the config needed
> to make this vulnerable?
>
> -Otto
> Sent from Memphis, TN, United States
>   


More information about the wp-hackers mailing list