[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Pete Mall pete at jointforcestech.com
Thu Nov 12 21:30:11 UTC 2009


This is already fixed in WP 2.8.6.


On Thu, Nov 12, 2009 at 1:26 PM, Robert Pendell <shinji at elite-systems.org>wrote:

> Ok.  I'm curious here.  Does this only affect configurations that use php
> as
> an Apache module?  That's what those instructions dictate.  Here is my
> configuration and it isn't affected even with MultiViews on.  I am running
> php as a fastcgi binary.
>
> .htaccess:
> AddHandler fastcgi-script fcg fcgi fpl
> AddHandler php5-fastcgi .php
> Action php5-fastcgi /php5-wrapper.fcgi
>
>
>
>
> Robert Pendell
> shinji at elite-systems.org
> CAcert Assurer
> "A perfect world is one of chaos."
>
>
>
> On Thu, Nov 12, 2009 at 12:00 PM, Otto <otto at ottodestruct.com> wrote:
>
> > Scratch that, I found a vulnerable host. Friend of mine has a shared
> > hosting account which shows the issue.
> >
> > What's more, I figured out how to reproduce the problem. And it has
> > nothing to do with MultiViews.
> >
> >
> > If the host's configuration uses this (or similar), to tie PHP files
> > to the PHP interpreter, then test.php.jpg is executable:
> >
> > AddHandler application/x-httpd-php .php
> >
> > If, instead, they use this (or similar):
> >
> > <FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
> >    SetHandler application/x-httpd-php
> > </FilesMatch>
> > <FilesMatch "\.phps$">
> >   SetHandler application/x-httpd-php-source
> > </FilesMatch>
> >
> > Then the server is safe from this type of attack.
> >
> > Step 15 here talks about this sort of thing:
> > http://php.net/manual/en/install.unix.apache2.php
> >
> >
> > -Otto
> > Sent from Memphis, TN, United States
> >
> >
> > On Thu, Nov 12, 2009 at 10:43 AM, Otto <otto at ottodestruct.com> wrote:
> > > I don't have access to any hosts that have this issue. I tried the
> > > ones I use, and have yet to find one that will execute *.php.jpg from
> > > a web request.
> > >
> > > If it's an Apache problem, then somebody should be able to tell me how
> > > to configure Apache to do it. I can't figure it out.
> > >
> > > I can confirm that simply turning on MultiViews doesn't create an
> > > exploitable system. There's some more configuration to make it happen.
> > >
> > > A default Apache and PHP installation, with no extreme changes to
> > > them, is NOT vulnerable.
> > >
> > > -Otto
> > >
> > >
> > >
> > > On Thu, Nov 12, 2009 at 10:40 AM, Ken Newman <Ken at adcstudio.com>
> wrote:
> > >> I have replicated this behavior, as in executed info.php.jpg on a
> server
> > >> running from a popular hosting company. (Is it appropriate to list
> hosts
> > >> here?) I figured out which host to test from the previous message from
> > Lynne
> > >> Pope, :
> > >>
> > >> I just learned that Multiviews are enabled by default and that this is
> > the
> > >> config for WHM/cPanel servers.
> > >>
> > >> So I went to a client's site (one of our only clients with a cPanel
> > host;
> > >> going to switch them to our normal host soon.) and tested it. I was
> > >> surprised that it worked on such a popular host.
> > >>
> > >> If you want to test this out, Dave Jones or Otto, you'll probably have
> > to
> > >> use a host with WHM/cPanel.
> > >>
> > >> On 11/12/2009 11:25 AM, Dave Jones wrote:
> > >>>
> > >>> I'm slightly confused since I thought the exploit allowed arbitrary
> > >>> execution of PHP on the server.  This is much worse than a XSS
> > Javascript
> > >>> exploit since PHP could potentially send spam emails, execute a DDOS
> > attack,
> > >>> delete your public_html directory from the server or whatever.
> > >>>
> > >>> i have no doubt that fixing this exploit is a good thing, however I
> > feel
> > >>> it slightly misses the point.  That said, I have been unable to
> > replicate
> > >>> this exploit in the wild, even with Options +MultiVIews.
> > >>>
> > >>> This is clearly and Apache/mis-configuration issue and if fixed in WP
> > will
> > >>> remain unfixed in countless other web applications.  It would be far
> > better
> > >>> to ensure your host correctly configures Apache and doesn't leave
> > security
> > >>> holes in the server, or move to a host that does!
> > >>>
> > >>>
> > >>> Dave Jones
> > >>> www.technicacreative.co.uk
> > >>>
> > >>>
> > >>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
> > >>>
> > >>>> Okay, good news, we've fixed the extension exploit and then will
> have
> > to
> > >>>> wait another 6 to 8 months while another XSS attack shows up about
> > people
> > >>>> adding images executing JavaScript on their servers (which isn't
> > completely
> > >>>> bad since most / all administrative tasks requires a nonce).
> > >>>
> > >>> _______________________________________________
> > >>> wp-hackers mailing list
> > >>> wp-hackers at lists.automattic.com
> > >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >>
> > >> _______________________________________________
> > >> wp-hackers mailing list
> > >> wp-hackers at lists.automattic.com
> > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >>
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list