[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Wed Nov 11 18:06:25 UTC 2009

Would be interesting to see how many servers in the wild have Apache
configured to allow this sort of thing..... I suspect that most advanced
users know better and how to config for changes, but would a big hosting
company leave something like this open to reduce support calls to turn it
on, or out of ignorance?

On Wed, Nov 11, 2009 at 11:00 AM, Dave Jones <dave at technicacreative.co.uk>wrote:

> I was testing test.php - I have to agree with Otto on none of my servers
> does test.php.jpg return anything but an empty image.
>
> Looks like this is a false alarm.
>
>
> Dave Jones
> www.technicacreative.co.uk
>
>
> On 11 Nov 2009, at 17:48, Otto wrote:
>
>  This seems like an Apache configuration problem to me. There are no
>> circumstances I can think of where I'd want test.php.jpg to be
>> executed as PHP by Apache.
>>
>> A suggestion of an Apache configuration to disallow this type of thing
>> in the first place would be more helpful than resorting to .htaccess
>> hacks.
>>
>> -Otto
>>
>>
>>
>> On Wed, Nov 11, 2009 at 11:08 AM, Dawid Golunski <golunski at onet.eu>
>> wrote:
>>
>>> The execution of the PHP code despite the .php.jpg extension is possible
>>> because Apache
>>> allows for multiple extensions. Here is a quote from Apache docs
>>> regarding
>>> this matter:
>>>
>>> "
>>> Files can have more than one extension, and the order of the extensions
>>> is
>>> normally irrelevant.
>>> For example, if the file welcome.html.fr maps onto content type
>>> text/html
>>> and language French then
>>> the file welcome.fr.html will map onto exactly the same information. If
>>> more
>>> than one extension is
>>> given that maps onto the same type of meta-information, then the one to
>>> the
>>> right will be used,
>>> except for languages and content encodings. For example, if .gif maps to
>>> the
>>> MIME-type  image/gif
>>> and .html maps to the MIME-type text/html, then the file welcome.gif.html
>>> will be associated with
>>> the MIME-type text/html.
>>>
>>> Care should be taken when a file with multiple extensions gets associated
>>> with both a MIME-type
>>> and a handler. This will usually result in the request being handled by
>>> the
>>> module associated with
>>> the handler. For example, if the .imap  extension is mapped to the
>>> handler
>>> imap-file
>>> (from mod_imagemap) and the .html extension is mapped to the MIME-type
>>> text/html, then the file
>>> world.imap.html will be associated with both the imap-file handler and
>>> text/html MIME-type.
>>> When it is processed, the imap-file handler will be used, and so it will
>>> be
>>> treated as a
>>> mod_imagemap imagemap file.
>>> "
>>>
>>> IV. PROOF OF CONCEPT
>>> -------------------------
>>> Browser is enough to replicate this issue. Simply log in to your
>>> wordpress
>>> blog as a low privileged
>>> user or admin. Create a new post and use the media file upload feature to
>>> upload a file:
>>>
>>> test-image.php.jpg
>>>
>>> containing the following code:
>>>
>>> <?php
>>>       phpinfo();
>>> ?>
>>>
>>> After the upload you should receive a positive response saying:
>>>
>>> test-vuln.php.jpg
>>> image/jpeg
>>> 2009-11-11
>>>
>>> and it should be possible to request the uploaded file via a link:
>>>
>>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
>>>
>>> thus executing the PHP code it contains.
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>