[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Ken Newman Ken at adcSTUDIO.com
Thu Nov 12 16:48:06 UTC 2009


That's good to know, I will simply let the hosting provider know and 
switch my client to our other provider who isn't vulnerable. I hate 
cPanel anyway. Thanks! If I do get a response from the host about what 
configuration they are running, I'll let you know.

On 11/12/2009 11:43 AM, Otto wrote:
> I don't have access to any hosts that have this issue. I tried the
> ones I use, and have yet to find one that will execute *.php.jpg from
> a web request.
>
> If it's an Apache problem, then somebody should be able to tell me how
> to configure Apache to do it. I can't figure it out.
>
> I can confirm that simply turning on MultiViews doesn't create an
> exploitable system. There's some more configuration to make it happen.
>
> A default Apache and PHP installation, with no extreme changes to
> them, is NOT vulnerable.
>
> -Otto
>    


More information about the wp-hackers mailing list