[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Wed Nov 11 19:41:16 UTC 2009


Well, that's kinda my point. I don't see it as a bug in WP. If you
upload a file named test.php.jpg, then WordPress is going to treat it
as a JPG file. It can't magically tell that the actual content of the
file is not a JPG.

I don't think there's any bug to fix, as this is not a
WordPress-specific vulnerability. It's a generic vulnerability to any
software which allows you to upload files to a server and uses the
filename to differentiate between them. The actual vulnerability is in
Apache with the MultiViews option enabled.

-Otto



On Wed, Nov 11, 2009 at 1:33 PM, Thomas Scholz <info at toscho.de> wrote:
> Otto:
>
>> This seems like an Apache configuration problem to me. There are no
>> circumstances I can think of where I'd want test.php.jpg to be
>> executed as PHP by Apache.
>
> This is a result of
>
>        Options +MultiViews
>
> in the .htaccess. A useful setting for Content-Negotiation or references to
> files without any suffix.
>
> It is a very common setting too, so this bug should be fixed in the WP core.
>
> Thomas
>
> --
> Redaktion, Druck- und Webdesign
> http://toscho.de · 0160/1764727
> Twitter: @toscho
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list