[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Dave Jones dave at technicacreative.co.uk
Thu Nov 12 16:43:00 UTC 2009


Ah Ok, I don't use cPanel though have done in the best and yes it is  
very popular and widespread.

This could probably be considered a bug/issue with cPanel WHM as much  
as Wordpress then?

Dave Jones
www.technicacreative.co.uk


On 12 Nov 2009, at 16:40, Ken Newman wrote:

> I have replicated this behavior, as in executed info.php.jpg on a  
> server running from a popular hosting company. (Is it appropriate to  
> list hosts here?) I figured out which host to test from the previous  
> message from Lynne Pope, :
>
> I just learned that Multiviews are enabled by default and that this  
> is the
> config for WHM/cPanel servers.
>
> So I went to a client's site (one of our only clients with a cPanel  
> host; going to switch them to our normal host soon.) and tested it.  
> I was surprised that it worked on such a popular host.
>
> If you want to test this out, Dave Jones or Otto, you'll probably  
> have to use a host with WHM/cPanel.
>
> On 11/12/2009 11:25 AM, Dave Jones wrote:
>> I'm slightly confused since I thought the exploit allowed arbitrary  
>> execution of PHP on the server.  This is much worse than a XSS  
>> Javascript exploit since PHP could potentially send spam emails,  
>> execute a DDOS attack, delete your public_html directory from the  
>> server or whatever.
>>
>> i have no doubt that fixing this exploit is a good thing, however I  
>> feel it slightly misses the point.  That said, I have been unable  
>> to replicate this exploit in the wild, even with Options +MultiVIews.
>>
>> This is clearly and Apache/mis-configuration issue and if fixed in  
>> WP will remain unfixed in countless other web applications.  It  
>> would be far better to ensure your host correctly configures Apache  
>> and doesn't leave security holes in the server, or move to a host  
>> that does!
>>
>>
>> Dave Jones
>> www.technicacreative.co.uk
>>
>>
>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>>
>>> Okay, good news, we've fixed the extension exploit and then will  
>>> have to wait another 6 to 8 months while another XSS attack shows  
>>> up about people adding images executing JavaScript on their  
>>> servers (which isn't completely bad since most / all  
>>> administrative tasks requires a nonce).
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list