WordPress 2.8.6 prevents malicious code from being uploaded
The WordPress developers have released security update 2.8.6 to fix two vulnerabilities. WordPress users are advised to install the update as soon as possible if untrusted authors can add content and upload images. At least one of the bugs allows attackers to inject and execute arbitrary PHP code on the server.
The vulnerability is based on a processing flaw that occurs when normalising the file names of blog post attachments. It allows attackers to disguise a PHP file as an image (for example vuln.php.jpg) and upload it without triggering the protective mechanism for blocking dangerous files in WordPress. Simply accessing the file in a browser (http://vulnerable-wp/wp-content/uploads/2009/11/test-vuln.php.jpg) subsequently allows the PHP code to be executed in the web server context.
However, not all server configurations seem to cooperate. In particular, the standard configuration of the Apache web server apparently refuses to execute the code when the file is accessed, displaying a corrupted image file in the browser instead.
Only after "Options+MultiViews" has been set in .htaccess or in the global configuration does Apache reportedly accept the file as an executable. According to the WordPress hacker mailing list, however, this setting is the default in web servers which run cPanel and WebHost Manager (WHM).
See also:
- WordPress 2.8.6 Security Release, security advisory from Wordpress.
- WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution, advisory by Dawid Golunski.
(djwm)