[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
otto at ottodestruct.com
Wed Nov 11 19:58:05 UTC 2009
On Wed, Nov 11, 2009 at 1:53 PM, Thomas Scholz <info at toscho.de> wrote:
> Sometimes it can. Mediawiki uses FileInfo or mime_content_type() to check
> uploaded files.
All of these are unreliable, at best. The fileinfo extension is
probably not installed, the mime-content-type is deprecated (and
straight up doesn't work as far as I can tell).
> The point is not trust the suffix only.
There is no trustworthy way to determine file type, period. So it's a
matter of choosing what you want to use, all methods have drawbacks.
Filename suffix is the most common and most well understood.
>> The actual vulnerability is in Apache with the MultiViews option enabled.
> In Apache it’s a feature. The server doesn’t know if you want this effect.
Still can't get this to work, BTW. I enabled MultiViews. No change,
the PHP does not execute.
What else are the preconditions to make this thing vulnerable?
Sent from Memphis, TN, United States
More information about the wp-hackers