Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
From: Moritz Naumann <security () moritz-naumann com>
Date: Thu, 12 Nov 2009 18:51:24 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Milan Berger wrote:
Hi there,

IV. PROOF OF CONCEPT
-------------------------
Browser is enough to replicate this issue. Simply log in to your  
wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload
feature to upload a file:

test-image.php.jpg

containing the following code:

<?php
     phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.

This is specific to Apaches' Add* directives, when combined with the PHP
SAPI / Apache module:
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
http://isc.sans.org/diary.html?storyid=6139

It's been like that for years, but many Linux distros still ship with
default configurations which bear this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREKAAYFAkr8SxwACgkQn6GkvSd/BgyWFACcDDGWwp92WxOunIr26u3juxL5
FvYAn1ynPl1pBolZKyV/mLQrb+i/AROY
=sM0Q
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault