Opened 6 years ago
Closed 6 years ago
#46742 closed defect (bug) (wontfix)
Path Disclosure issue via Media Uploader
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 5.1 |
Component: | Media | Keywords: | 2nd-opinion |
Focuses: | Cc: |
Description
The issue occurs when an user tries to upload a picture via Browser Uploader feature /wp-admin/media-new.php?browser-uploader with modified PNG file that contains ASCII characters
Proof of Concepts (Step to reproduce):
1 - Login as an author
2 - Add new media using browser uploader
3 - Modify a PNG file and input some ASCII characters such as: <script></script>
4 - Click browse and choose that file to upload
5 - After clicking Upload, an error will show up containing Full Path of current website.
Warning: exif_imagetype(): PNG file corrupted by ASCII conversion in /var/www/html/wp-includes/functions.php on line 2672
Sorry, this file type is not permitted for security reasons.
Note that this error will be triggered even PHP display_errors = Off
Attachments (1)
Change History (5)
#1
@
6 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
#2
@
6 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
I believe that this is not a server misconfiguration since I have tested on several servers as well as shared hosting. Also, debug value in wp_config.php is not turned on. PHP display_errors = Off as well. The issue occurs only when we try to upload modified PNG.
#3
@
6 years ago
- Keywords 2nd-opinion added
@chitran I've also tested on several environments with display_errors
turned off using a PNG file modified exactly as you have described. I can get the warning to display by either ensuring that PHP display_errors
is true/on or if I set both WP_DEBUG
and WP_DEBUG_DISPLAY
to true (note that the latter is true
by default).
I'll wait for a second opinion, but this seems like a configuration issue where any warning will display and is not something that we specifically guard against.
I'll also reiterate that if you think you found a security issue, you should report it as outlined in the Security FAQ and not here.
#4
@
6 years ago
- Resolution set to wontfix
- Status changed from reopened to closed
I do agree that this is not really a security issue and I have never mentioned about the term “security”. I also agree that this is something related to configuration because of the process of corrupted PNG file. It maybe better to get fixed sometime in future releases. Let’s close this as wontfix if you want.
Very respectfully.
I can't reproduce this error so I suspect that this is a server misconfiguration or the result of having debug constants set in your
wp-config.php
file or by some other plugin.See the Security FAQ:
Additionally, when you created this ticket: