Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
From: Milan Berger <m.berger () project-mindstorm net>
Date: Thu, 12 Nov 2009 13:48:46 +0100

Hi there,

IV. PROOF OF CONCEPT
-------------------------
Browser is enough to replicate this issue. Simply log in to your  
wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload
feature to upload a file:

test-image.php.jpg

containing the following code:

<?php
      phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.

-- 
Kind Regards

Milan Berger
Project-Mindstorm Technical Engineer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]