I setup a brand new blog in order to test this issue. No modifications were made to allowed file types and they are still “.txt .doc .pdf .jpg .gif .zip.” I was able to upload a simple phpinfo page named info.php.jpg. It appears no actual checking of the file mime type appears to be done so as long as the file extension is allowed, it will be uploaded. The default path is web accessible in a fresh install as it’s using the wp-content/uploads/
At the very least a .htaccess file should be added with something like “Deny from all” to prevent web access to the tdof/tmp folder by default.
So if a person knows their ip address, they can very easily create a link to the tmp files that were uploaded and access them. Imagine if this were a php file browser script. It can wreak havoc at that point.
