| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 15 Nov 2009 08:23:28 +0900 From: YK <fulldisc@...penflue.net> To: Full disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution WordPress 2-8-6 Release, fixes two security problems. http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/ --------- YK<fulldisc@...penflue.net> http://suiseeda.ddo.jp/wordpress/ > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Milan Berger wrote: > >> Hi there, >> >> >>> IV. PROOF OF CONCEPT >>> ------------------------- >>> Browser is enough to replicate this issue. Simply log in to your >>> wordpress blog as a low privileged >>> user or admin. Create a new post and use the media file upload >>> feature to upload a file: >>> >>> test-image.php.jpg >>> >>> containing the following code: >>> >>> <?php >>> phpinfo(); >>> ?> >>> >>> After the upload you should receive a positive response saying: >>> >>> test-vuln.php.jpg >>> image/jpeg >>> 2009-11-11 >>> >>> and it should be possible to request the uploaded file via a link: >>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg >>> >> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo >> with Suhosin-Patch 0.9.7 >> Shows a broken image no code executed. >> > > This is specific to Apaches' Add* directives, when combined with the PHP > SAPI / Apache module: > http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext > http://isc.sans.org/diary.html?storyid=6139 > > It's been like that for years, but many Linux distros still ship with > default configurations which bear this issue. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEAREKAAYFAkr8SxwACgkQn6GkvSd/BgyWFACcDDGWwp92WxOunIr26u3juxL5 > FvYAn1ynPl1pBolZKyV/mLQrb+i/AROY > =sM0Q > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists