[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Thu Nov 12 21:37:38 UTC 2009

"Fixed" is not the word I'd use to describe it. The vulnerability
still exists, WP 2.8.6 just has a hacky workaround to prevent it being
easily exploited through WordPress.

I'd prefer an actual fix to my Apache configuration which prevents the
file from executing in the first place.

-Otto

On Thu, Nov 12, 2009 at 3:30 PM, Pete Mall <pete at jointforcestech.com> wrote:
> This is already fixed in WP 2.8.6.
>
>
> On Thu, Nov 12, 2009 at 1:26 PM, Robert Pendell <shinji at elite-systems.org>wrote:
>
>> Ok.  I'm curious here.  Does this only affect configurations that use php
>> as
>> an Apache module?  That's what those instructions dictate.  Here is my
>> configuration and it isn't affected even with MultiViews on.  I am running
>> php as a fastcgi binary.
>>
>> .htaccess:
>> AddHandler fastcgi-script fcg fcgi fpl
>> AddHandler php5-fastcgi .php
>> Action php5-fastcgi /php5-wrapper.fcgi
>>
>>
>>
>>
>> Robert Pendell
>> shinji at elite-systems.org
>> CAcert Assurer
>> "A perfect world is one of chaos."
>>
>>
>>
>> On Thu, Nov 12, 2009 at 12:00 PM, Otto <otto at ottodestruct.com> wrote:
>>
>> > Scratch that, I found a vulnerable host. Friend of mine has a shared
>> > hosting account which shows the issue.
>> >
>> > What's more, I figured out how to reproduce the problem. And it has
>> > nothing to do with MultiViews.
>> >
>> >
>> > If the host's configuration uses this (or similar), to tie PHP files
>> > to the PHP interpreter, then test.php.jpg is executable:
>> >
>> > AddHandler application/x-httpd-php .php
>> >
>> > If, instead, they use this (or similar):
>> >
>> > <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
>> >    SetHandler application/x-httpd-php
>> > </FilesMatch>
>> > <FilesMatch "\.phps$">
>> >   SetHandler application/x-httpd-php-source
>> > </FilesMatch>
>> >
>> > Then the server is safe from this type of attack.
>> >
>> > Step 15 here talks about this sort of thing:
>> > http://php.net/manual/en/install.unix.apache2.php
>> >
>> >
>> > -Otto
>> > Sent from Memphis, TN, United States
>> >
>> >
>> > On Thu, Nov 12, 2009 at 10:43 AM, Otto <otto at ottodestruct.com> wrote:
>> > > I don't have access to any hosts that have this issue. I tried the
>> > > ones I use, and have yet to find one that will execute *.php.jpg from
>> > > a web request.
>> > >
>> > > If it's an Apache problem, then somebody should be able to tell me how
>> > > to configure Apache to do it. I can't figure it out.
>> > >
>> > > I can confirm that simply turning on MultiViews doesn't create an
>> > > exploitable system. There's some more configuration to make it happen.
>> > >
>> > > A default Apache and PHP installation, with no extreme changes to
>> > > them, is NOT vulnerable.
>> > >
>> > > -Otto
>> > >
>> > >
>> > >
>> > > On Thu, Nov 12, 2009 at 10:40 AM, Ken Newman <Ken at adcstudio.com>
>> wrote:
>> > >> I have replicated this behavior, as in executed info.php.jpg on a
>> server
>> > >> running from a popular hosting company. (Is it appropriate to list
>> hosts
>> > >> here?) I figured out which host to test from the previous message from
>> > Lynne
>> > >> Pope, :
>> > >>
>> > >> I just learned that Multiviews are enabled by default and that this is
>> > the
>> > >> config for WHM/cPanel servers.
>> > >>
>> > >> So I went to a client's site (one of our only clients with a cPanel
>> > host;
>> > >> going to switch them to our normal host soon.) and tested it. I was
>> > >> surprised that it worked on such a popular host.
>> > >>
>> > >> If you want to test this out, Dave Jones or Otto, you'll probably have
>> > to
>> > >> use a host with WHM/cPanel.
>> > >>
>> > >> On 11/12/2009 11:25 AM, Dave Jones wrote:
>> > >>>
>> > >>> I'm slightly confused since I thought the exploit allowed arbitrary
>> > >>> execution of PHP on the server.  This is much worse than a XSS
>> > Javascript
>> > >>> exploit since PHP could potentially send spam emails, execute a DDOS
>> > attack,
>> > >>> delete your public_html directory from the server or whatever.
>> > >>>
>> > >>> i have no doubt that fixing this exploit is a good thing, however I
>> > feel
>> > >>> it slightly misses the point.  That said, I have been unable to
>> > replicate
>> > >>> this exploit in the wild, even with Options +MultiVIews.
>> > >>>
>> > >>> This is clearly and Apache/mis-configuration issue and if fixed in WP
>> > will
>> > >>> remain unfixed in countless other web applications.  It would be far
>> > better
>> > >>> to ensure your host correctly configures Apache and doesn't leave
>> > security
>> > >>> holes in the server, or move to a host that does!
>> > >>>
>> > >>>
>> > >>> Dave Jones
>> > >>> www.technicacreative.co.uk
>> > >>>
>> > >>>
>> > >>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>> > >>>
>> > >>>> Okay, good news, we've fixed the extension exploit and then will
>> have
>> > to
>> > >>>> wait another 6 to 8 months while another XSS attack shows up about
>> > people
>> > >>>> adding images executing JavaScript on their servers (which isn't
>> > completely
>> > >>>> bad since most / all administrative tasks requires a nonce).
>> > >>>
>> > >>> _______________________________________________
>> > >>> wp-hackers mailing list
>> > >>> wp-hackers at lists.automattic.com
>> > >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> > >>
>> > >> _______________________________________________
>> > >> wp-hackers mailing list
>> > >> wp-hackers at lists.automattic.com
>> > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> > >>
>> > >
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>