WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#10692 closed defect (bug) (fixed)

Do not allow unfiltered uploads for admins by default

Reported by: ryan Owned by: ryan
Milestone: 2.8.5 Priority: normal
Severity: normal Version:
Component: Security Keywords: upload
Focuses: Cc:

Description

When someone compromises an admin account, often one of the first things they do is upload some .php files. This is allowed because admin users have the unfiltered_upload capability. Perhaps this should be disallowed by default, with a wp-config define enabling it again. With this disallowed and all write permissions on files locked down, adding arbitrary code is much harder even when an admin account is compromised.

Attachments (1)

10692.diff (529 bytes) - added by ryan 10 years ago.

Download all attachments as: .zip

Change History (11)

@ryan
10 years ago

#1 @westi
10 years ago

+100

All users should be limited by the whitelist and admins should add filetypes to that with knowledge.

http://wordpress.org/extend/plugins/pjw-mime-config/

#2 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [11887]) Disallow unfiltered uploads for admins by default. fixes #10692

#3 @ryan
10 years ago

(In [11888]) Disallow unfiltered uploads for admins by default. fixes #10692 for 2.8

#4 @ryan
10 years ago

  • Milestone changed from 2.9 to 2.8.5

#5 @dd32
10 years ago

Whats the point of the do_not_allow capability?

#6 @snakefoot
10 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Are you not missing a break in the case statement in the 2.8 patch ?

#7 @ryan
10 years ago

It happens to work without the break since an imaginary cap is inserted, but the break should be there. Well-spotted.

#8 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [11912]) Add missing break. Props snakefoot. fixes #10692

#10 @snakefoot
10 years ago

You are welcome :), I'm maintaining a Wordpress 2.0 installation while waiting for a blocking issue will be resolved. I monitor the code changes related to security issues to see if they are relevant for Wordpress 2.0.

Note: See TracTickets for help on using tickets.