[Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Milan Berger
m.berger at project-mindstorm.net
Thu Nov 12 12:48:46 GMT 2009
Hi there,
> IV. PROOF OF CONCEPT
> -------------------------
> Browser is enough to replicate this issue. Simply log in to your
> wordpress blog as a low privileged
> user or admin. Create a new post and use the media file upload
> feature to upload a file:
>
> test-image.php.jpg
>
> containing the following code:
>
> <?php
> phpinfo();
> ?>
>
> After the upload you should receive a positive response saying:
>
> test-vuln.php.jpg
> image/jpeg
> 2009-11-11
>
> and it should be possible to request the uploaded file via a link:
> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg
tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo
with Suhosin-Patch 0.9.7
Shows a broken image no code executed.
--
Kind Regards
Milan Berger
Project-Mindstorm Technical Engineer
Full-Disclosure is hosted and sponsored by Secunia.