Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

From: Martin Aberastegue <xyborg () gmail com>
Date: Thu, 12 Nov 2009 10:41:48 -0300
The same here tested on Wordpress 2.8.5 / Apache/2.0.63 (Unix)
mod_ssl/2.0.63 OpenSSL/0.9.7a mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635 - PHP/5.2.6

Regards

--
Martin Aberastegue
http://www.martinaberastegue.com/



On Thu, Nov 12, 2009 at 9:48 AM, Milan Berger
<m.berger () project-mindstorm net> wrote:

Hi there,


IV. PROOF OF CONCEPT
-------------------------
Browser is enough to replicate this issue. Simply log in to your
wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload
feature to upload a file:

test-image.php.jpg

containing the following code:

<?php
      phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg


tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.

--
Kind Regards

Milan Berger
Project-Mindstorm Technical Engineer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: