upload not secure

  • My server was compromised due to insecurities with the WordPress upload utility. The utility does not restrict file types to images. It would be nice if this type of a restriction were at least a configurable option. Because the upload utility allows (from my tests) anything to be uploaded, a hacker uploaded a PHP file into the uploads directory where he was allowed to execute it. Regardless of what the permissions should or should not have been in the uploads directory, the file should never have been accepted by the upload utility.

Viewing 8 replies - 1 through 8 (of 8 total)

  • Only admin users are allowed to upload anything (it was introduced in WP 2.3). To avoid this behaviour you can remove unfiltered_upload capability from your admin users, but your site won’t be secure even if you allow only images.

    Thread Starter slaterecords

    (@slaterecords)

    Ah, so according to this article, WP does check file types (at least extensions). In what version was this introduced (I am using 2.3.1 now but wasn’t when the exploit occured)?

    Yes, I understand that my site won’t be bullet proof even if you only allowed images to be uploaded, but it’s a good security step nonetheless.

    As I said, unfiltered_upload capability was introduced in WordPress 2.3 (see changeset)

    What version did you have before that incident?

    Thread Starter slaterecords

    (@slaterecords)

    Well, unfiltered_upload is the option to instruct the system to not filter file types, isn’t it? What I was asking is when the file types filter was introduced, not the unfiltered_upload option. Please correct me if I am misunderstanding.

    I think that it was version 2.0.x, but I am not positive. It might have been 2.1.x.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    The checking of filetypes was added about 2 years ago in changeset 2979. It’s been modified and moved around a few times since then.

    Thread Starter slaterecords

    (@slaterecords)

    Why would it have accepted a .php file then?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    If the hacker had your admin password, then he can upload anything. That’s what the unfiltered_upload capability is for. Admins can upload anything and bypass the filter.

    Also, it’s entirely possible (and far, far more likely) that the hacker got access via some other method and was not constrained by the limits of the upload utility. Because of permissions, often the only place they can create files is in the upload directory, however that’s not to say that he definitely used the upload utility to actually do it. Most likely he used another method. With older insecure WordPress versions, there were lots of them.

    This is why you should always upgrade to the latest WordPress: Security.

    I just tested out the “Only admin users are allowed to upload anything” and it failed considering that an Author was able to upload a .zip file on my test server.

    This seems to be a very basic security flaw that could take down hosting servers very easily.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘upload not secure’ is closed to new replies.