[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

scribu scribu at gmail.com
Wed Nov 11 20:58:13 UTC 2009


> Wouldn't getimagesize($imgfile); do a check to ensure the file has width and
> height, which an image has but a script file does not? Or can that be
> fudged?

That might work for images, but what about audio and other types of
valid content?

On 11/11/09, Lynne Pope <lynne.pope at gmail.com> wrote:
> 2009/11/12 Matt Martz <matt at sivel.net>
>
>> > Couldn't you just block anything with *.php.* from being uploaded thru
>> > wordpress?
>>
>> Ryan has opened a ticket for this and has already attached a patch.
>>
>> http://core.trac.wordpress.org/ticket/11122
>>
>
> Cool :-)
>
> I just learned that Multiviews are enabled by default and that this is the
> config for WHM/cPanel servers. Which means a whole heap of WordPress users
> will have this without knowing that this kind of content negotiation can
> result in security vulnerabilities.
>
> Re - the patch, I have a question I want to make here (because it could be
> completely off the wall)...
> Wouldn't getimagesize($imgfile); do a check to ensure the file has width and
> height, which an image has but a script file does not? Or can that be
> fudged?
>
> I am not yet in the PHP expert league, as some of you are, so thought I'd
> ask here rather than clutter up the trac ;)
>
> Cheers,
> Lynne
>
>
> --
> http://twitter.com/elpie/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


-- 
http://scribu.net


More information about the wp-hackers mailing list