[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Thu Nov 12 17:17:20 UTC 2009


That's the basic exploit, yes. Make a PHP file. Rename it to whatever.php.jpg.

WordPress will allow low-privilege users to upload this file through
WordPress, as *.jpg is in the whitelist for those users.

And apparently, some poorly configured Apache installations will let
you request that file and have it actually run as PHP code. Which can
provide a neat little backdoor into the system.

To exploit it, you must have a login to the system, the system must
allow you to upload files, and Apache must be configured using the
older AddHandler directive instead of the latest PHP recommended
method.

-Otto
Sent from Memphis, TN, United States


On Thu, Nov 12, 2009 at 11:11 AM, Chris Jean <gaarai at gaarai.com> wrote:
> I've just caught wind of this issue. Can I get more details on how to
> attempt the exploit? For example, if there is a file: exploit.php.jpg, do I
> simply request that file via the browser or is there a trick to it?
>
> Chris Jean
> http://gaarai.com/
> @chrisjean
>
>
>
> Otto wrote:
>>
>> I just confirmed on my friend's vulnerable host that this code in the
>> .htaccess removed the vulnerability.
>>
>> RemoveHandler application/x-httpd-php .php
>> <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
>>   SetHandler application/x-httpd-php
>> </FilesMatch>
>> <FilesMatch "\.phps$">
>>  SetHandler application/x-httpd-php-source
>> </FilesMatch>
>>
>> -Otto
>> Sent from Memphis, TN, United States
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list