[wp-trac] [WordPress Trac] #19235: Turn ms-files.php off by default
WordPress Trac
wp-trac at lists.automattic.com
Fri Nov 11 23:18:57 UTC 2011
#19235: Turn ms-files.php off by default
--------------------------+------------------------------
Reporter: nacin | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Multisite | Version:
Severity: normal | Resolution:
Keywords: 3.4-early |
--------------------------+------------------------------
Comment (by adambackstrom):
Just to add to the discussion, allowing direct access to the files under
nginx/php-fpm can allow remote code execution if the server is configured
poorly:
http://wiki.nginx.org/Pitfalls#Pass_Non-PHP_Requests_to_PHP.
Under WordPress 3.2.1, I can upload a file "foo.jpg" that contains PHP,
and an attacker could craft a URL that causes PHP to evaluate the contents
of this file. There are several ways to protect yourself, and nginx/php-
fpm is the less common server setup, but ms-blogs.php offers basic
protection if you keep blogs.dir out of the document root. Felt like it
should be part of the thread.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19235#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list