Open GoogleCodeExporter opened 8 years ago
Update:
...Also ensure that the plugin deletes ANY file that does not have the right
type of extension, *before* writing it to the uploads directory, because it
*might* create a venerability for inexperienced users.
Details:
1) User has uploads directory permissions set "wide open", granting "execute"
rights to the web server for all uploaded files.
2) Hacker uploads "rootkit.php"
3) BP Media saves file to the uploads directory.
4) In the 1/10 of a second window while the plugin is analyzing the file before
it gets rejected and deleted, the hacker executes the file by calling
http://example.com/...uploads dir.../rootkit.php
5) Hacker gains root access to the WP install
Solutions:
-Grab the filename posted to the server by the upload form, and if it's not a
supported extension never even convert the TMP file to a real file, just unlink
it.
-Never use the user-supplied filename in the first place. Grab the extension,
and save it as [random].[extension]
Original comment by CarlRoett@gmail.com
on 4 Aug 2010 at 5:32
Original issue reported on code.google.com by
CarlRoett@gmail.com
on 16 Jul 2010 at 10:18