Opened 11 years ago
Closed 9 years ago
#28994 closed defect (bug) (invalid)
Install plugin by upload file not check file type
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.9.1 |
| Component: | Plugins | Keywords: | dev-feedback has-patch |
| Focuses: | administration | Cc: |
Description
Upload installs of plugins not check file type. If hacker bruteforce or get admin level access, they can run php script on my site.
To reproduce:
- Upload a php file via Plugins->Add New->Upload after upload it ask ftp login detail. please leave it and do 2.
- Use browser goto http://mysite/wp-content/uploads/[CURRENT YEAR]/[CURRENT MONTH]/filename.php
Attachments (1)
Change History (9)
#3
follow-up:
↓ 5
@
11 years ago
Blocked php file upload both on local and on live, too http://i.imgur.com/UlmXKED.png
ZIP upload was successfull, too.
#5
in reply to:
↑ 3
;
follow-up:
↓ 6
@
11 years ago
Replying to michalzuber:
Blocked php file upload both on local and on live, too http://i.imgur.com/UlmXKED.png
ZIP upload was successfull, too.
sorry i test in my production server and it work. i guess some plugin in my production server allow zip file for upload
#6
in reply to:
↑ 5
@
11 years ago
Replying to mix5003:
Replying to michalzuber:
Blocked php file upload both on local and on live, too http://i.imgur.com/UlmXKED.png
ZIP upload was successfull, too.
sorry i test in my production server and it work. i guess some plugin in my production server allow zip file for upload
It worked for me as described, it should be OK. Had no issues.
Reproduced https://youtu.be/DUCGtevodFA