[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
- From: Milan Berger <m.berger@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Nov 2009 13:48:46 +0100
Hi there,
> IV. PROOF OF CONCEPT
> -------------------------
> Browser is enough to replicate this issue. Simply log in to your
> wordpress blog as a low privileged
> user or admin. Create a new post and use the media file upload
> feature to upload a file:
>
> test-image.php.jpg
>
> containing the following code:
>
> <?php
> phpinfo();
> ?>
>
> After the upload you should receive a positive response saying:
>
> test-vuln.php.jpg
> image/jpeg
> 2009-11-11
>
> and it should be possible to request the uploaded file via a link:
> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.
--
Kind Regards
Milan Berger
Project-Mindstorm Technical Engineer
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/