Re: WordPress Authenticated File Upload Authorisation Bypass

[Gage Bystrom <themadichib0d () gmail com>]

to me it seems like hes trying to say that someone with administrative
access has the ability to....have administrative access. Its like
saying "Hey guys! I found a local exploit and all it requires is to be
a root user!!!"

I'm not sure if he's trolling or just stupid.

On Thu, Jun 21, 2012 at 7:42 AM, Greg Knaddison
<greg.knaddison () acquia com> wrote:
> On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic
> <denis.andzakovic () security-assessment com> wrote:
> > Exploitation of this vulnerability requires a malicious user with
> > access to the admin panel to use the
> > "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
> > file.
>
>
> That tool is meant to allow an admin to upload arbitrary php plugins. You
> can argue that this feature is insecure by design, but there are two
> solutions from the WordPress perspective:
>
> 1) "Don't grant malicious users the permission to install plugins."
> 2) If you don't want this feature on your site at all, this feature can be
> disabled in the config define( 'DISALLOW_FILE_MODS', TRUE);
>
> By the way, two more "vulnerabilities" the theme installer has this same
> issue and the upgrade tool could also be abused if you can poison the DNS of
> the server.
>
> Regards,
> Greg
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/