[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Pete Mall pete at jointforcestech.com
Thu Nov 12 17:26:45 UTC 2009


My WordPress MU installation converts it to testphp.jpg from test.php.jpg



On Thu, Nov 12, 2009 at 9:17 AM, Otto <otto at ottodestruct.com> wrote:

> That's the basic exploit, yes. Make a PHP file. Rename it to
> whatever.php.jpg.
>
> WordPress will allow low-privilege users to upload this file through
> WordPress, as *.jpg is in the whitelist for those users.
>
> And apparently, some poorly configured Apache installations will let
> you request that file and have it actually run as PHP code. Which can
> provide a neat little backdoor into the system.
>
> To exploit it, you must have a login to the system, the system must
> allow you to upload files, and Apache must be configured using the
> older AddHandler directive instead of the latest PHP recommended
> method.
>
> -Otto
> Sent from Memphis, TN, United States
>
>
> On Thu, Nov 12, 2009 at 11:11 AM, Chris Jean <gaarai at gaarai.com> wrote:
> > I've just caught wind of this issue. Can I get more details on how to
> > attempt the exploit? For example, if there is a file: exploit.php.jpg, do
> I
> > simply request that file via the browser or is there a trick to it?
> >
> > Chris Jean
> > http://gaarai.com/
> > @chrisjean
> >
> >
> >
> > Otto wrote:
> >>
> >> I just confirmed on my friend's vulnerable host that this code in the
> >> .htaccess removed the vulnerability.
> >>
> >> RemoveHandler application/x-httpd-php .php
> >> <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
> >>   SetHandler application/x-httpd-php
> >> </FilesMatch>
> >> <FilesMatch "\.phps$">
> >>  SetHandler application/x-httpd-php-source
> >> </FilesMatch>
> >>
> >> -Otto
> >> Sent from Memphis, TN, United States
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list