[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Thu Nov 12 16:25:02 UTC 2009

I'm slightly confused since I thought the exploit allowed arbitrary  
execution of PHP on the server.  This is much worse than a XSS  
Javascript exploit since PHP could potentially send spam emails,  
execute a DDOS attack, delete your public_html directory from the  
server or whatever.

i have no doubt that fixing this exploit is a good thing, however I  
feel it slightly misses the point.  That said, I have been unable to  
replicate this exploit in the wild, even with Options +MultiVIews.

This is clearly and Apache/mis-configuration issue and if fixed in WP  
will remain unfixed in countless other web applications.  It would be  
far better to ensure your host correctly configures Apache and doesn't  
leave security holes in the server, or move to a host that does!

Dave Jones

On 12 Nov 2009, at 16:18, Jacob Santos wrote:

> Okay, good news, we've fixed the extension exploit and then will  
> have to wait another 6 to 8 months while another XSS attack shows up  
> about people adding images executing JavaScript on their servers  
> (which isn't completely bad since most / all administrative tasks  
> requires a nonce).

More information about the wp-hackers mailing list