[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Wed Nov 11 19:55:06 UTC 2009


Defining it as a feature in one software and a bug in another. Smells  
funny to me.

Dave Jones
www.technicacreative.co.uk


On 11 Nov 2009, at 19:53, Thomas Scholz wrote:

> Otto:
>
>> Well, that's kinda my point. I don't see it as a bug in WP. If you
>> upload a file named test.php.jpg, then WordPress is going to treat it
>> as a JPG file. It can't magically tell that the actual content of the
>> file is not a JPG.
>
> Sometimes it can. Mediawiki uses FileInfo or mime_content_type() to  
> check uploaded files.
> See:
> <http://www.mediawiki.org/wiki/Manual:Mime_type_detection>
> <http://www.php.net/manual/en/book.fileinfo.php>
> <http://www.php.net/manual/en/function.mime-content-type.php>
>
>> I don't think there's any bug to fix, as this is not a
>> WordPress-specific vulnerability. It's a generic vulnerability to any
>> software which allows you to upload files to a server and uses the
>> filename to differentiate between them.
>
> The point is not trust the suffix only.
>
>> The actual vulnerability is in Apache with the MultiViews option  
>> enabled.
>
> In Apache it’s a feature. The server doesn’t know if you want this  
> effect.
>
> Thomas
>
> -- 
> Redaktion, Druck- und Webdesign
> http://toscho.de · 0160/1764727
> Twitter: @toscho
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list