[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Aaron D. Campbell
aaron at xavisys.com
Wed Nov 11 19:33:14 UTC 2009
I haven't been able to duplicate this on any of my servers either. I
did find that different browsers display my "vuln-test.php.jpg" differently.
Firefox shows the path to the file such as
"http://example.com/wp-content/uploads/2009/10/vuln-test.php.jpg"
IE 8 shows the contents of the file such as "<?php phpinfo(); ?>"
Opera and Safari both show it like a broken image
Otto wrote:
> To do that, you would just want test.php to output a image/jpeg mim
> header, followed by the jpeg binary data. No need for tricky clever
> naming tricks.
>
> I've been unable to get this to work on my local Apache install so
> far. test.php.jpg doesn't execute. Does anybody know the config needed
> to make this vulnerable?
>
> -Otto
> Sent from Memphis, TN, United States
>
More information about the wp-hackers
mailing list