[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Thu Nov 12 21:50:19 UTC 2009

On Thu, Nov 12, 2009 at 3:26 PM, Robert Pendell
<shinji at elite-systems.org> wrote:
> Ok.  I'm curious here.  Does this only affect configurations that use php as
> an Apache module?  That's what those instructions dictate.  Here is my
> configuration and it isn't affected even with MultiViews on.  I am running
> php as a fastcgi binary.
> .htaccess:
> AddHandler fastcgi-script fcg fcgi fpl
> AddHandler php5-fastcgi .php
> Action php5-fastcgi /php5-wrapper.fcgi

I have no idea what specific configurations it is under, however I did
find this interesting tidbit:


Looks like Apache has no intention of correcting this misfeature.

Sent from Memphis, TN, United States

More information about the wp-hackers mailing list