Support » Fixing WordPress » Prevent uploaded files ending up in PHP's temp dir when the URI is invalid

  • Hello,

    We have a WP site that’s just gone live, and this morning came in to a bunch of unexpected anti-virus reports on the server. Here’s what happened:

    – Joe Random Hacker is constantly blasting out requests to vulnerable WP plugins, trying to upload a PHP backdoor. He’s trying every WP site he can find.
    – Joe’s requests hit our server. They are multipart-encoded POST requests aimed at various vulnerable plugins, each trying to upload a file.
    – Joe’s requests result in the “this is embarrassing” 404 page, because the plugins he’s trying to exploit aren’t installed on our server.
    – However, PHP has helpfully unpacked Joe’s request, and has stored his malicious upload in the PHP temp directory.
    – Anti-virus sees the file in temp, deletes it, and alerts us.

    Assuming I’ve made myself understood 🙂 , my question is this –

    Why does WordPress/PHP go to all the lengths of unpacking all the parameters and putting uploaded files in temp before it checks if the URI exists? If I ask for /wp-content/plugins/i-do-not-exist/hackme.php , surely it’s more efficient to check that this is present before doing all the parameter parsing etc?

    Is there any way I can stop WP/PHP from putting arbitrary files into temp if the URI does not exist?

    Many thanks,

  • The topic ‘Prevent uploaded files ending up in PHP's temp dir when the URI is invalid’ is closed to new replies.