WordPress 2.8.6 prevents malicious code from being uploaded


Recommended Posts

13 November 2009, 15:50

WordPress 2.8.6 prevents malicious code from being uploaded

The WordPress developers have released security update 2.8.6 to fix two vulnerabilities. WordPress users are advised to install the update as soon as possible if untrusted authors can add content and upload images. At least one of the bugs allows attackers to inject and execute arbitrary PHP code on the server.

The vulnerability is based on a processing flaw that occurs when normalising the file names of blog post attachments. It allows attackers to disguise a PHP file as an image (for example vuln.php.jpg) and upload it without triggering the protective mechanism for blocking dangerous files in WordPress. Simply accessing the file in a browser (http://vulnerable-wp/wp-content/uploads/2009/11/test-vuln.php.jpg) subsequently allows the PHP code to be executed in the web server context.

More details at Heise security - http://www.h-online.com/security/news/item/WordPress-2-8-6-prevents-malicious-code-from-being-uploaded-859597.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...