[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Ken Newman
Ken at adcSTUDIO.com
Wed Nov 11 20:58:43 UTC 2009
Crap. Yeah, I have one client on a host using cPanel. Confirmed that
info.php.jpg does execute on their server.
On 11/11/2009 3:53 PM, Lynne Pope wrote:
> 2009/11/12 Matt Martz<matt at sivel.net>
>
>
>>> Couldn't you just block anything with *.php.* from being uploaded thru
>>> wordpress?
>>>
>> Ryan has opened a ticket for this and has already attached a patch.
>>
>> http://core.trac.wordpress.org/ticket/11122
>>
>>
> Cool :-)
>
> I just learned that Multiviews are enabled by default and that this is the
> config for WHM/cPanel servers. Which means a whole heap of WordPress users
> will have this without knowing that this kind of content negotiation can
> result in security vulnerabilities.
>
> Re - the patch, I have a question I want to make here (because it could be
> completely off the wall)...
> Wouldn't getimagesize($imgfile); do a check to ensure the file has width and
> height, which an image has but a script file does not? Or can that be
> fudged?
>
> I am not yet in the PHP expert league, as some of you are, so thought I'd
> ask here rather than clutter up the trac ;)
>
> Cheers,
> Lynne
>
>
>
More information about the wp-hackers
mailing list