[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
dave at technicacreative.co.uk
Thu Nov 12 17:22:03 UTC 2009
That's a nice plain english summary of the issue. Thanks.
On 12 Nov 2009, at 17:17, Otto wrote:
> That's the basic exploit, yes. Make a PHP file. Rename it to
> WordPress will allow low-privilege users to upload this file through
> WordPress, as *.jpg is in the whitelist for those users.
> And apparently, some poorly configured Apache installations will let
> you request that file and have it actually run as PHP code. Which can
> provide a neat little backdoor into the system.
> To exploit it, you must have a login to the system, the system must
> allow you to upload files, and Apache must be configured using the
> older AddHandler directive instead of the latest PHP recommended
> Sent from Memphis, TN, United States
> On Thu, Nov 12, 2009 at 11:11 AM, Chris Jean <gaarai at gaarai.com>
>> I've just caught wind of this issue. Can I get more details on how to
>> attempt the exploit? For example, if there is a file:
>> exploit.php.jpg, do I
>> simply request that file via the browser or is there a trick to it?
>> Chris Jean
>> Otto wrote:
>>> I just confirmed on my friend's vulnerable host that this code in
>>> .htaccess removed the vulnerability.
>>> RemoveHandler application/x-httpd-php .php
>>> <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
>>> SetHandler application/x-httpd-php
>>> <FilesMatch "\.phps$">
>>> SetHandler application/x-httpd-php-source
>>> Sent from Memphis, TN, United States
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers