[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Ken Newman Ken at adcSTUDIO.com
Thu Nov 12 16:40:27 UTC 2009


I have replicated this behavior, as in executed info.php.jpg on a server 
running from a popular hosting company. (Is it appropriate to list hosts 
here?) I figured out which host to test from the previous message from 
Lynne Pope, :

I just learned that Multiviews are enabled by default and that this is the
config for WHM/cPanel servers.

So I went to a client's site (one of our only clients with a cPanel 
host; going to switch them to our normal host soon.) and tested it. I 
was surprised that it worked on such a popular host.

If you want to test this out, Dave Jones or Otto, you'll probably have 
to use a host with WHM/cPanel.

On 11/12/2009 11:25 AM, Dave Jones wrote:
> I'm slightly confused since I thought the exploit allowed arbitrary 
> execution of PHP on the server.  This is much worse than a XSS 
> Javascript exploit since PHP could potentially send spam emails, 
> execute a DDOS attack, delete your public_html directory from the 
> server or whatever.
>
> i have no doubt that fixing this exploit is a good thing, however I 
> feel it slightly misses the point.  That said, I have been unable to 
> replicate this exploit in the wild, even with Options +MultiVIews.
>
> This is clearly and Apache/mis-configuration issue and if fixed in WP 
> will remain unfixed in countless other web applications.  It would be 
> far better to ensure your host correctly configures Apache and doesn't 
> leave security holes in the server, or move to a host that does!
>
>
> Dave Jones
> www.technicacreative.co.uk
>
>
> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>
>> Okay, good news, we've fixed the extension exploit and then will have 
>> to wait another 6 to 8 months while another XSS attack shows up about 
>> people adding images executing JavaScript on their servers (which 
>> isn't completely bad since most / all administrative tasks requires a 
>> nonce).
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list