[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Thu Nov 12 16:43:23 UTC 2009 

I don't have access to any hosts that have this issue. I tried the
ones I use, and have yet to find one that will execute *.php.jpg from
a web request.

If it's an Apache problem, then somebody should be able to tell me how
to configure Apache to do it. I can't figure it out.

I can confirm that simply turning on MultiViews doesn't create an
exploitable system. There's some more configuration to make it happen.

A default Apache and PHP installation, with no extreme changes to
them, is NOT vulnerable.

-Otto



On Thu, Nov 12, 2009 at 10:40 AM, Ken Newman <Ken at adcstudio.com> wrote:
> I have replicated this behavior, as in executed info.php.jpg on a server
> running from a popular hosting company. (Is it appropriate to list hosts
> here?) I figured out which host to test from the previous message from Lynne
> Pope, :
>
> I just learned that Multiviews are enabled by default and that this is the
> config for WHM/cPanel servers.
>
> So I went to a client's site (one of our only clients with a cPanel host;
> going to switch them to our normal host soon.) and tested it. I was
> surprised that it worked on such a popular host.
>
> If you want to test this out, Dave Jones or Otto, you'll probably have to
> use a host with WHM/cPanel.
>
> On 11/12/2009 11:25 AM, Dave Jones wrote:
>>
>> I'm slightly confused since I thought the exploit allowed arbitrary
>> execution of PHP on the server.  This is much worse than a XSS Javascript
>> exploit since PHP could potentially send spam emails, execute a DDOS attack,
>> delete your public_html directory from the server or whatever.
>>
>> i have no doubt that fixing this exploit is a good thing, however I feel
>> it slightly misses the point.  That said, I have been unable to replicate
>> this exploit in the wild, even with Options +MultiVIews.
>>
>> This is clearly and Apache/mis-configuration issue and if fixed in WP will
>> remain unfixed in countless other web applications.  It would be far better
>> to ensure your host correctly configures Apache and doesn't leave security
>> holes in the server, or move to a host that does!
>>
>>
>> Dave Jones
>> www.technicacreative.co.uk
>>
>>
>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>>
>>> Okay, good news, we've fixed the extension exploit and then will have to
>>> wait another 6 to 8 months while another XSS attack shows up about people
>>> adding images executing JavaScript on their servers (which isn't completely
>>> bad since most / all administrative tasks requires a nonce).
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list