Prevent uploaded files ending up in PHP's temp dir when the URI is invalid (1 post)

  1. alec.waters@dataline.co.uk
    Posted 3 years ago #


    We have a WP site that's just gone live, and this morning came in to a bunch of unexpected anti-virus reports on the server. Here's what happened:

    - Joe Random Hacker is constantly blasting out requests to vulnerable WP plugins, trying to upload a PHP backdoor. He's trying every WP site he can find.
    - Joe's requests hit our server. They are multipart-encoded POST requests aimed at various vulnerable plugins, each trying to upload a file.
    - Joe's requests result in the "this is embarrassing" 404 page, because the plugins he's trying to exploit aren't installed on our server.
    - However, PHP has helpfully unpacked Joe's request, and has stored his malicious upload in the PHP temp directory.
    - Anti-virus sees the file in temp, deletes it, and alerts us.

    Assuming I've made myself understood :) , my question is this -

    Why does WordPress/PHP go to all the lengths of unpacking all the parameters and putting uploaded files in temp before it checks if the URI exists? If I ask for /wp-content/plugins/i-do-not-exist/hackme.php , surely it's more efficient to check that this is present before doing all the parameter parsing etc?

    Is there any way I can stop WP/PHP from putting arbitrary files into temp if the URI does not exist?

    Many thanks,

Topic Closed

This topic has been closed to new replies.

About this Topic

  • RSS feed for this topic
  • Started 3 years ago by alec.waters@dataline.co.uk
  • This topic is not resolved
  • WordPress version: 3.5.1