Full Disclosure mailing list archives
Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
From: g30rg3_x <g30rg3x () gmail com>
Date: Thu, 12 Nov 2009 09:42:21 -0600
The same thing was discussed on WP-Hackers list[1] and it was found that the problem was introduced by Option +Multiviews[2]... And also someone point that Option +Multiviews is enabled by default on cpanel/whm[3] based servers therefore lots of cheap (and not so cheap) shared hosting providers introduce this behavior that could potentially be harmful not just to wordpress but any software that handles uploads and respect the uploaded file extensions. Regards [1] http://lists.automattic.com/pipermail/wp-hackers/2009-November/thread.html#28450 [2] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028466.html [3] http://lists.automattic.com/pipermail/wp-hackers/2009-November/028482.html _________________________ g30rg3_x _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Dawid Golunski (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Milan Berger (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Martin Aberastegue (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Martin Aberastegue (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution g30rg3_x (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Vincent Guasconi (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Moritz Naumann (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Martin Aberastegue (Nov 12)
- Re: WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution Milan Berger (Nov 12)