Using 2.0.5, I have had my whole hosting account wiped out twice via a user being able to upload a script (commonly called c99shell.php) which is able to do a number of malicious things. From what I have seen online via a few Google searches, users are able to upload via the File Upload in the Wordpress admin without logging in. However, I also noticed in my logs that the user was toying around in the Wordpress theme editor, but I have no idea what he was doing. And passwords were all changed between the site defacings.
So, I'm just writing to confirm whether or not such a thing is possible (i.e., could WordPress be to blame?) and is there a way to forbid the uploading of php files? -- Rick Beckman _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
