[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
dave at technicacreative.co.uk
Wed Nov 11 18:00:34 UTC 2009
I was testing test.php - I have to agree with Otto on none of my
servers does test.php.jpg return anything but an empty image.
Looks like this is a false alarm.
On 11 Nov 2009, at 17:48, Otto wrote:
> This seems like an Apache configuration problem to me. There are no
> circumstances I can think of where I'd want test.php.jpg to be
> executed as PHP by Apache.
> A suggestion of an Apache configuration to disallow this type of thing
> in the first place would be more helpful than resorting to .htaccess
> On Wed, Nov 11, 2009 at 11:08 AM, Dawid Golunski <golunski at onet.eu>
>> The execution of the PHP code despite the .php.jpg extension is
>> because Apache
>> allows for multiple extensions. Here is a quote from Apache docs
>> this matter:
>> Files can have more than one extension, and the order of the
>> extensions is
>> normally irrelevant.
>> For example, if the file welcome.html.fr maps onto content type
>> and language French then
>> the file welcome.fr.html will map onto exactly the same
>> information. If more
>> than one extension is
>> given that maps onto the same type of meta-information, then the
>> one to the
>> right will be used,
>> except for languages and content encodings. For example, if .gif
>> maps to the
>> MIME-type image/gif
>> and .html maps to the MIME-type text/html, then the file
>> will be associated with
>> the MIME-type text/html.
>> Care should be taken when a file with multiple extensions gets
>> with both a MIME-type
>> and a handler. This will usually result in the request being
>> handled by the
>> module associated with
>> the handler. For example, if the .imap extension is mapped to the
>> (from mod_imagemap) and the .html extension is mapped to the MIME-
>> text/html, then the file
>> world.imap.html will be associated with both the imap-file handler
>> text/html MIME-type.
>> When it is processed, the imap-file handler will be used, and so it
>> will be
>> treated as a
>> mod_imagemap imagemap file.
>> IV. PROOF OF CONCEPT
>> Browser is enough to replicate this issue. Simply log in to your
>> blog as a low privileged
>> user or admin. Create a new post and use the media file upload
>> feature to
>> upload a file:
>> containing the following code:
>> After the upload you should receive a positive response saying:
>> and it should be possible to request the uploaded file via a link:
>> thus executing the PHP code it contains.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers