[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Wed Nov 11 19:58:05 UTC 2009


On Wed, Nov 11, 2009 at 1:53 PM, Thomas Scholz <info at toscho.de> wrote:
> Sometimes it can. Mediawiki uses FileInfo or mime_content_type() to check
> uploaded files.
> See:
> <http://www.mediawiki.org/wiki/Manual:Mime_type_detection>
> <http://www.php.net/manual/en/book.fileinfo.php>
> <http://www.php.net/manual/en/function.mime-content-type.php>

All of these are unreliable, at best. The fileinfo extension is
probably not installed, the mime-content-type is deprecated (and
straight up doesn't work as far as I can tell).

> The point is not trust the suffix only.

There is no trustworthy way to determine file type, period. So it's a
matter of choosing what you want to use, all methods have drawbacks.
Filename suffix is the most common and most well understood.

>> The actual vulnerability is in Apache with the MultiViews option enabled.
>
> In Apache it’s a feature. The server doesn’t know if you want this effect.

Still can't get this to work, BTW. I enabled MultiViews. No change,
the PHP does not execute.

What else are the preconditions to make this thing vulnerable?

-Otto
Sent from Memphis, TN, United States


More information about the wp-hackers mailing list