WordPress.org

Forums

upload not secure (9 posts)

  1. slaterecords
    Member
    Posted 7 years ago #

    My server was compromised due to insecurities with the WordPress upload utility. The utility does not restrict file types to images. It would be nice if this type of a restriction were at least a configurable option. Because the upload utility allows (from my tests) anything to be uploaded, a hacker uploaded a PHP file into the uploads directory where he was allowed to execute it. Regardless of what the permissions should or should not have been in the uploads directory, the file should never have been accepted by the upload utility.

  2. Alex Concha
    Member
    Posted 7 years ago #

    Only admin users are allowed to upload anything (it was introduced in WP 2.3). To avoid this behaviour you can remove unfiltered_upload capability from your admin users, but your site won't be secure even if you allow only images.

  3. slaterecords
    Member
    Posted 7 years ago #

    Ah, so according to this article, WP does check file types (at least extensions). In what version was this introduced (I am using 2.3.1 now but wasn't when the exploit occured)?

    Yes, I understand that my site won't be bullet proof even if you only allowed images to be uploaded, but it's a good security step nonetheless.

  4. Alex Concha
    Member
    Posted 7 years ago #

    As I said, unfiltered_upload capability was introduced in WordPress 2.3 (see changeset)

    What version did you have before that incident?

  5. slaterecords
    Member
    Posted 7 years ago #

    Well, unfiltered_upload is the option to instruct the system to not filter file types, isn't it? What I was asking is when the file types filter was introduced, not the unfiltered_upload option. Please correct me if I am misunderstanding.

    I think that it was version 2.0.x, but I am not positive. It might have been 2.1.x.

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    The checking of filetypes was added about 2 years ago in changeset 2979. It's been modified and moved around a few times since then.

  7. slaterecords
    Member
    Posted 7 years ago #

    Why would it have accepted a .php file then?

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    If the hacker had your admin password, then he can upload anything. That's what the unfiltered_upload capability is for. Admins can upload anything and bypass the filter.

    Also, it's entirely possible (and far, far more likely) that the hacker got access via some other method and was not constrained by the limits of the upload utility. Because of permissions, often the only place they can create files is in the upload directory, however that's not to say that he definitely used the upload utility to actually do it. Most likely he used another method. With older insecure WordPress versions, there were lots of them.

    This is why you should always upgrade to the latest WordPress: Security.

  9. Longhair
    Member
    Posted 7 years ago #

    I just tested out the "Only admin users are allowed to upload anything" and it failed considering that an Author was able to upload a .zip file on my test server.

    This seems to be a very basic security flaw that could take down hosting servers very easily.

Topic Closed

This topic has been closed to new replies.

About this Topic