[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Wed Nov 11 20:05:05 UTC 2009


On Wed, Nov 11, 2009 at 1:57 PM, Lynne Pope <lynne.pope at gmail.com> wrote:
> 2009/11/12 Otto <otto at ottodestruct.com>
> It's a trivial matter for WordPress to ensure that the file has only the JPG
> extension though.

So you're suggesting that filenames like my.summer.vacation.jpg are invalid?

Seems rather arbitrary.

> You are right, its not a WordPress-specific vulnerability. However, I was
> able to reproduce this on a shared server. The htaccess directive stops it
> cold...

Since you can reproduce this and I still can't, can you confirm that
adding "Options -MultiViews" to the .htaccess stops it as well?

> Perhaps hosts are not as smart as we think they are?

You're just preaching to the choir now... ;)

> This exploit is in the wild now

And it's unlikely to be a threat. Basically, it's a privilege
escalation exploit. To exploit it, you have to have the rights to
upload files already. You have to have an account. You have to be able
to make posts. And you apparently have to have a rare condition on the
server to make it vulnerable (one which has not been properly defined
yet, I might add).

It's pretty low in terms of threat level, as I see it.

> and it won't matter to users whether the
> host configuration is poor or not - they will just see WordPress being
> hacked.

Happens all the time. Shared servers are notoriously shit for
security. Look at all the "my WP got hacked" posts in the support
forums. Most of the time, they're on shared servers with poor
inter-user security. Any one site on the box gets hacked, and the
attacker runs a script which finds anything with a php extension and
adds his little crap code to it. Voila, 1000 sites all hacked in an
instant. Doesn't stop the user from blaming WP there, even though WP
had nothing to do with it.

> I think its worth fixing.

I don't. It might be worth adding to an exploit scanner plugin ("Your
server has multiviews enabled! This is a well known Apache problem
[link to article on the topic]. To fix this, add the following to
.htaccess:..."), but that's it.

-Otto
Sent from Memphis, TN, United States


More information about the wp-hackers mailing list