[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Lynne Pope lynne.pope at gmail.com
Wed Nov 11 20:53:34 UTC 2009


2009/11/12 Matt Martz <matt at sivel.net>

> > Couldn't you just block anything with *.php.* from being uploaded thru
> > wordpress?
>
> Ryan has opened a ticket for this and has already attached a patch.
>
> http://core.trac.wordpress.org/ticket/11122
>

Cool :-)

I just learned that Multiviews are enabled by default and that this is the
config for WHM/cPanel servers. Which means a whole heap of WordPress users
will have this without knowing that this kind of content negotiation can
result in security vulnerabilities.

Re - the patch, I have a question I want to make here (because it could be
completely off the wall)...
Wouldn't getimagesize($imgfile); do a check to ensure the file has width and
height, which an image has but a script file does not? Or can that be
fudged?

I am not yet in the PHP expert league, as some of you are, so thought I'd
ask here rather than clutter up the trac ;)

Cheers,
Lynne


-- 
http://twitter.com/elpie/


More information about the wp-hackers mailing list