[wp-trac] [WordPress Trac] #19235: Turn ms-files.php off by default

WordPress Trac wp-trac at lists.automattic.com
Fri Nov 11 23:39:07 UTC 2011


#19235: Turn ms-files.php off by default
--------------------------+------------------------------
 Reporter:  nacin         |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Multisite     |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  3.4-early     |
--------------------------+------------------------------

Comment (by nacin):

 Replying to [comment:11 adambackstrom]:
 > Under WordPress 3.2.1, I can upload a file "foo.jpg" that contains PHP,
 and an attacker could craft a URL that causes PHP to evaluate the contents
 of this file. There are several ways to protect yourself, and nginx/php-
 fpm is the less common server setup, but ms-blogs.php offers basic
 protection if you keep blogs.dir out of the document root. Felt like it
 should be part of the thread.

 The solution for that would be to finally implement proper content
 sniffing on uploads, which is a separate matter. And making sure that PHP
 cannot be executed in blogs.dir or wp-content/uploads is best practice for
 performance, scaling, and security reasons anyway.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19235#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list