[wp-trac] [WordPress Trac] #11104: 2.8.5 Injection Exploit
WordPress Trac
wp-trac at lists.automattic.com
Mon Nov 16 03:32:31 UTC 2009
#11104: 2.8.5 Injection Exploit
--------------------------+-------------------------------------------------
Reporter: bradyk | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: Unassigned
Component: Security | Version: 2.8.5
Severity: blocker | Keywords: dev-feedback 2nd-opinion exploit, injection, hack, malware, porn
--------------------------+-------------------------------------------------
Comment(by petervanderdoes):
Kyle:
What is the name of the uploaded file?
Where did the file end up on your server?
What are the rights of the directory the file ended up in?
It's not hard to understand what you are saying the thing is that the
checks if a user is logged in is used all over in the admin section.
There are two checks before the upload.php really start doing it's job.
1. It checks if the user is logged using a cookie, if the checks fails the
user is redirected to the login page.
2. If the user passes the 1st check, the 2nd check is if that user has
upload privileges.
if what you say is true, and I'm not saying you are wrong, the attacker
has found a way to create a cookie with your or the admin's information.
Like dd32 saidm having the POST in a log would help a lot.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11104#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list