Make WordPress Core

Opened 19 years ago

Closed 19 years ago

Last modified 18 years ago

#2300 closed defect (bug) (fixed)

Privilege Escalation Vulnerability in File Upload handling

Reported by: doit-cu's profile doit-cu Owned by:
Milestone: Priority: highest omg bbq
Severity: critical Version: 2.0
Component: Administration Keywords: security uploading bg|has-patch
Focuses: Cc:


It is possible to upload and execute arbitrary PHP code via the inline uploads section of the write posts area. This can lead, among other things, to privilege escelation.

Please contact webmaster@… if you require a working proof of concept. This proof of concept makes all users of any wordpress 2.0 installation administrators. I will not release this code until this problem has been addressed. Exploit code will only be provided to those working on solving the problem; otherwise, don't ask.

Possible work around is to do a RemoveHandler in an .htaccess file in the uploads directory: RemoveHandler .php for instance. However, if you have defined more than just .php as PHP code in an apache configuration, you will need to add those filetypes to the RemoveHandler directive.

Better solution is to disallow uploading of PHP handled filetypes unless the wordpress user is an administrator.

Attachments (1)

no-php.diff (470 bytes) - added by skeltoac 19 years ago.

Download all attachments as: .zip

Change History (7)

19 years ago

#1 @skeltoac
19 years ago

  • Keywords security uploading bg|has-patch added
  • Milestone set to 2.0.1
  • Summary changed from Privilege Escelation Vulnerability in File Upload handling to Privilege Escalation Vulnerability in File Upload handling

#2 @matt
19 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [3444]) Don't allow uploading PHP files, fixes #2300.

#3 @matt
19 years ago

What other file types should we block?

#4 @doit-cu
19 years ago

You may want to consider using mimetype directives in a .htaccess file in UPLOADS to supplement this solution. For example:

ForceType text/plain

<Files ~ "\.gif">

ForceType image/gif


<Files ~ "\.jpe?g">

ForceType image/jpeg



This way you don't have to worry about people who have configured apache to recognize htm, phtml, html, php3, php4, etc, etc, etc files as PHP. Please forgive me if the formatting is not right above, this wiki-formatting thing is new and frightens me.

Thank you for your quick response on this issue, by the way.

#5 @skeltoac
19 years ago

doit-cu, thank you for the report and continued suggestions. I don't think WP should be expected to harden the upload dirs as you suggest because our upload handler only allows certain filename extensions, none of which are now handled as PHP in standard installations.

If someone can upload a php4 file, it's because they modified the filename extension whitelist. If someone's server parses .html files as PHP, it's because they modified the default PHP config.

As you are no doubt aware, this vulnerability only affected blogs with users given the roles Author and Editor. These roles were otherwise unable to affect raw PHP code because they lacked the capabilities.

#6 @(none)
18 years ago

  • Milestone 2.0.1 deleted

Milestone 2.0.1 deleted

Note: See TracTickets for help on using tickets.