[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Ken Newman
Ken at adcSTUDIO.com
Thu Nov 12 16:40:27 UTC 2009
I have replicated this behavior, as in executed info.php.jpg on a server
running from a popular hosting company. (Is it appropriate to list hosts
here?) I figured out which host to test from the previous message from
Lynne Pope, :
I just learned that Multiviews are enabled by default and that this is the
config for WHM/cPanel servers.
So I went to a client's site (one of our only clients with a cPanel
host; going to switch them to our normal host soon.) and tested it. I
was surprised that it worked on such a popular host.
If you want to test this out, Dave Jones or Otto, you'll probably have
to use a host with WHM/cPanel.
On 11/12/2009 11:25 AM, Dave Jones wrote:
> I'm slightly confused since I thought the exploit allowed arbitrary
> execution of PHP on the server. This is much worse than a XSS
> Javascript exploit since PHP could potentially send spam emails,
> execute a DDOS attack, delete your public_html directory from the
> server or whatever.
>
> i have no doubt that fixing this exploit is a good thing, however I
> feel it slightly misses the point. That said, I have been unable to
> replicate this exploit in the wild, even with Options +MultiVIews.
>
> This is clearly and Apache/mis-configuration issue and if fixed in WP
> will remain unfixed in countless other web applications. It would be
> far better to ensure your host correctly configures Apache and doesn't
> leave security holes in the server, or move to a host that does!
>
>
> Dave Jones
> www.technicacreative.co.uk
>
>
> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>
>> Okay, good news, we've fixed the extension exploit and then will have
>> to wait another 6 to 8 months while another XSS attack shows up about
>> people adding images executing JavaScript on their servers (which
>> isn't completely bad since most / all administrative tasks requires a
>> nonce).
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list