Privilege Escalation Vulnerability in File Upload handling
|Reported by:||doit-cu||Owned by:||anonymous|
|Priority:||highest omg bbq||Milestone:|
|Severity:||critical||Keywords:||security uploading bg|has-patch|
It is possible to upload and execute arbitrary PHP code via the inline uploads section of the write posts area. This can lead, among other things, to privilege escelation.
Please contact webmaster@… if you require a working proof of concept. This proof of concept makes all users of any wordpress 2.0 installation administrators. I will not release this code until this problem has been addressed. Exploit code will only be provided to those working on solving the problem; otherwise, don't ask.
Possible work around is to do a RemoveHandler in an .htaccess file in the uploads directory: RemoveHandler .php for instance. However, if you have defined more than just .php as PHP code in an apache configuration, you will need to add those filetypes to the RemoveHandler directive.
Better solution is to disallow uploading of PHP handled filetypes unless the wordpress user is an administrator.
Change History (7)
- Keywords security uploading bg|has-patch added
- Milestone set to 2.0.1
- Summary changed from Privilege Escelation Vulnerability in File Upload handling to Privilege Escalation Vulnerability in File Upload handling