[wp-hackers] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Otto otto at ottodestruct.com
Thu Nov 12 17:00:21 UTC 2009

Scratch that, I found a vulnerable host. Friend of mine has a shared
hosting account which shows the issue.

What's more, I figured out how to reproduce the problem. And it has
nothing to do with MultiViews.

If the host's configuration uses this (or similar), to tie PHP files
to the PHP interpreter, then test.php.jpg is executable:

AddHandler application/x-httpd-php .php

If, instead, they use this (or similar):

<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
    SetHandler application/x-httpd-php
<FilesMatch "\.phps$">
   SetHandler application/x-httpd-php-source

Then the server is safe from this type of attack.

Step 15 here talks about this sort of thing:

Sent from Memphis, TN, United States

On Thu, Nov 12, 2009 at 10:43 AM, Otto <otto at ottodestruct.com> wrote:
> I don't have access to any hosts that have this issue. I tried the
> ones I use, and have yet to find one that will execute *.php.jpg from
> a web request.
> If it's an Apache problem, then somebody should be able to tell me how
> to configure Apache to do it. I can't figure it out.
> I can confirm that simply turning on MultiViews doesn't create an
> exploitable system. There's some more configuration to make it happen.
> A default Apache and PHP installation, with no extreme changes to
> them, is NOT vulnerable.
> -Otto
> On Thu, Nov 12, 2009 at 10:40 AM, Ken Newman <Ken at adcstudio.com> wrote:
>> I have replicated this behavior, as in executed info.php.jpg on a server
>> running from a popular hosting company. (Is it appropriate to list hosts
>> here?) I figured out which host to test from the previous message from Lynne
>> Pope, :
>> I just learned that Multiviews are enabled by default and that this is the
>> config for WHM/cPanel servers.
>> So I went to a client's site (one of our only clients with a cPanel host;
>> going to switch them to our normal host soon.) and tested it. I was
>> surprised that it worked on such a popular host.
>> If you want to test this out, Dave Jones or Otto, you'll probably have to
>> use a host with WHM/cPanel.
>> On 11/12/2009 11:25 AM, Dave Jones wrote:
>>> I'm slightly confused since I thought the exploit allowed arbitrary
>>> execution of PHP on the server.  This is much worse than a XSS Javascript
>>> exploit since PHP could potentially send spam emails, execute a DDOS attack,
>>> delete your public_html directory from the server or whatever.
>>> i have no doubt that fixing this exploit is a good thing, however I feel
>>> it slightly misses the point.  That said, I have been unable to replicate
>>> this exploit in the wild, even with Options +MultiVIews.
>>> This is clearly and Apache/mis-configuration issue and if fixed in WP will
>>> remain unfixed in countless other web applications.  It would be far better
>>> to ensure your host correctly configures Apache and doesn't leave security
>>> holes in the server, or move to a host that does!
>>> Dave Jones
>>> www.technicacreative.co.uk
>>> On 12 Nov 2009, at 16:18, Jacob Santos wrote:
>>>> Okay, good news, we've fixed the extension exploit and then will have to
>>>> wait another 6 to 8 months while another XSS attack shows up about people
>>>> adding images executing JavaScript on their servers (which isn't completely
>>>> bad since most / all administrative tasks requires a nonce).
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list