[wp-trac] [WordPress Trac] #11104: 2.8.5 Injection Exploit
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 12 20:22:13 UTC 2009
#11104: 2.8.5 Injection Exploit
--------------------------+-------------------------------------------------
Reporter: bradyk | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: Unassigned
Component: Security | Version: 2.8.5
Severity: blocker | Keywords: dev-feedback 2nd-opinion exploit, injection, hack, malware, porn
--------------------------+-------------------------------------------------
Comment(by ryan):
One of the first things upload.php does is die if the user isn't logged in
and doesn't have the right capabilities. Every time I see upload.php
being used for ill it is after the attacker has gained access via another
means. upload.php isn't the entry. You might still have remnants from an
attack against an older version of WP lingering. Check for extra admin
users and evals in the permalink_structure option. Exploit Scanner will
do these checks for you.
http://wordpress.org/extend/plugins/exploit-scanner/
bradyk, I replied to your security email a few days ago saying we would
add checks for what you discovered to the exploit scanner. Thanks for the
detailed post. Until we can track things down further, that's all we can
do right now.
2.8.5 could possibly help if you host is configured such that uploaded
files with a .php.jpg extension (or .php.gig, .php.png, etc.) are served
as php files. Check your upload directories for such files. We'll be
adding checks for that to exploit scanner as well.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11104#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list