WordPress 2-8-6 Release, fixes two security problems. http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/
--------- YK<[email protected]> http://suiseeda.ddo.jp/wordpress/ > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Milan Berger wrote: > >> Hi there, >> >> >>> IV. PROOF OF CONCEPT >>> ------------------------- >>> Browser is enough to replicate this issue. Simply log in to your >>> wordpress blog as a low privileged >>> user or admin. Create a new post and use the media file upload >>> feature to upload a file: >>> >>> test-image.php.jpg >>> >>> containing the following code: >>> >>> <?php >>> phpinfo(); >>> ?> >>> >>> After the upload you should receive a positive response saying: >>> >>> test-vuln.php.jpg >>> image/jpeg >>> 2009-11-11 >>> >>> and it should be possible to request the uploaded file via a link: >>> http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg >>> >> tried this with lighttpd and wordpress 2.8.5 and PHP 5.2.11-pl0-gentoo >> with Suhosin-Patch 0.9.7 >> Shows a broken image no code executed. >> > > This is specific to Apaches' Add* directives, when combined with the PHP > SAPI / Apache module: > http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext > http://isc.sans.org/diary.html?storyid=6139 > > It's been like that for years, but many Linux distros still ship with > default configurations which bear this issue. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEAREKAAYFAkr8SxwACgkQn6GkvSd/BgyWFACcDDGWwp92WxOunIr26u3juxL5 > FvYAn1ynPl1pBolZKyV/mLQrb+i/AROY > =sM0Q > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
