Peaches Posted November 13, 2009 Report Share Posted November 13, 2009 13 November 2009, 15:50WordPress 2.8.6 prevents malicious code from being uploaded The WordPress developers have released security update 2.8.6 to fix two vulnerabilities. WordPress users are advised to install the update as soon as possible if untrusted authors can add content and upload images. At least one of the bugs allows attackers to inject and execute arbitrary PHP code on the server. The vulnerability is based on a processing flaw that occurs when normalising the file names of blog post attachments. It allows attackers to disguise a PHP file as an image (for example vuln.php.jpg) and upload it without triggering the protective mechanism for blocking dangerous files in WordPress. Simply accessing the file in a browser (http://vulnerable-wp/wp-content/uploads/2009/11/test-vuln.php.jpg) subsequently allows the PHP code to be executed in the web server context. More details at Heise security - http://www.h-online.com/security/news/item/WordPress-2-8-6-prevents-malicious-code-from-being-uploaded-859597.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.